Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!
  1. Folks, some of you have asked if we were trimming our forums since there are no sports at the moment. We’re going to keep everything open on the forums to provide a sense of normalcy here. It’s our hope Gator Country can be a place of comfort for you during these crazy times. Be safe my friends and take care. -Ray and the GC staff. GO GATORS IN AL KINDS OF WEATHER!

    PS. If you happen to find yourself in tight financial circumstances with regards to renewing here please reach out to us. We’d be happy to help sort it out.

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.51

    RISKS List Owner

    Dec 18, 2019 7:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wedesday 18 December 2019 Volume 31 : Issue 51

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Human error installing SCADA system leads to 7.5 million gallons of
    raw sewage dumped in Valdosta, GA
    Killer Robots Aren't Regulated. Yet. (Jonah M. Kessel)
    Earth Enters Unknown as Magnetic North Pole Continues Push Toward
    Russia, Crosses Greenwich Meridian (Sputnik News)
    SpaceX to Make Starlink Satellites Dimmer to Lessen Impact on Astronomy
    (Scientific American)
    Smart lock has a security vulnerability that leaves homes open for attacks
    (CNET)
    Scores of sex offenders have state licenses to be electricians,
    manicurists, and more. The official who found out got fired. (BostonGlobe)
    Is Alexa Always Listening? How Amazon, Google, Apple Hear, Record
    (Bloomberg)
    Apple Used the DMCA to Take Down a Tweet Containing an iPhone
    Encryption Key (VICE)
    Phone-breaking Android hole revealed (Gadget)
    Deepfakes are getting better. Should we be worried? (TheBostonGlobe)
    Luggage tracking apps aren't 100% accurate. People are the weak link
    (LATimes)
    Internet of crap encryption: IoT gear is generating easy-to-crack keys
    (The Register)
    Prime Leverage: How Amazon Wields Power in the Technology World (NYTimes)
    Cloud flaws expose millions of child tracking smartwatches (TechCrunch)
    Thief Stole Payroll Data of 29,000 Facebook Employees (CISOmag)
    Companies Ignoring Third-Party Breach Alerts (Security Boulevard)
    Insurer Races to Fix Security Flaws After Whistleblower Alert
    (Bank Infosecurity)
    Audit knocks Mass. tax-collection agency (The Boston Globe)
    How hacking the human heart could replace pill popping (BBC.com)
    Bates v Post Office litigation - reliability of computers
    Re: Election Security regulations in the U.S. (Dick Mills)
    Re: What happens if your mind lives for ever on the Internet? (Martin Ward)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 15 Dec 2019 22:04:46 -0500
    From: Shawn Merdinger <shaw...@gmail.com>
    Subject: Human error installing SCADA system leads to 7.5 million gallons of
    raw sewage dumped in Valdosta, GA

    https://valdostatoday.com/news-2/local/2019/12/human-error-led-to-massive-valdosta-sewage-spill/

    "On December 9, 2019, the staff at the Withlacoochee Wastewater Treatment
    plant notified Environmental Services personnel to inform them that flow
    into the plant had decreased by 50% over the previous few days. After a
    brief investigation, utility personnel noticed that a contractor working on
    the city's SCADA system disconnected a reference cable at the Remerton Lift
    Station for testing and failed to reconnect it. As a result of the incident,
    the lift station's level indicator and alarm agent were disconnected. The
    lift station's alarm agent system did not operate as it normally would,
    bypassing the alert notification that is typically sent to utility staff
    when there is an issue at a lift station.

    Based on the flow information collected, approximately 7,592,910 gallons
    discharged from a manhole into Sugar Creek adjacent to the 1800 block of
    Norman Drive."

    [Garbage In, Garbage Out: with a coochee-coup. PGN]

    ------------------------------

    Date: December 14, 2019 18:53:07 JST
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Killer Robots Aren't Regulated. Yet. (Jonah M. Kessel)

    Jonah M. Kessel, *The New York Times*, 13 Dec 2019
    *Killing in the Age of Algorithms* is *The New York Times* documentary
    examining the future of artificial intelligence and warfare.
    Killer Robots Aren’t Regulated. Yet.

    Times reporters traveled to Russia, Switzerland, California and Washington,
    D.C., talking to experts in the commercial tech, military and AI
    communities. Below are some key points and analysis, along with extras from
    the documentary.

    Do I need to worry about a Terminator knocking on my door?

    Most experts say you can rest easy, for now. Weapons that can operate like
    human soldiers are not something they see in our immediate future. Although
    there are varying opinions, most agree we are far from achieving artificial
    general intelligence, or A.G.I., that would allow for Terminators with the
    kind of flexibility necessary to be effective on today's complex
    battlefield.

    However, Stuart J. Russell, a professor of computer science at the University of California, Berkeley, who wrote an influential textbook on artificial intelligence, says achieving A.G.I. that is as smart as humans is inevitable.

    So where are we now?

    There are many weapons systems that use artificial intelligence. But instead
    of thinking about Terminators, it might be better to think about software
    transforming the tech we already have.

    There are weapons that use artificial intelligence in active use today,
    including some that can search, select and engage targets on their own,
    attributes often associated with defining what constitutes a lethal
    autonomous weapon system (a.k.a. a killer robot).

    In his book *Army of None: Autonomous Weapons and the Future of War*, the
    Army Ranger turned policy analyst Paul Scharre explained, ``More than 30
    nations already have defensive supervised autonomous weapons for situations
    in which the speed of engagement is too fast for humans to respond.''

    Perhaps the best known of these weapons is the Israel Aerospace Industries
    Harpy, an armed drone that can hang out high in the skies surveying large
    areas of land until it detects an enemy radar signal, at which point it
    crashes into the source of the radar, destroying both itself and the target.

    The weapon needs no specific target to be launched, and a human is not
    necessary to its lethal decision making. It has been sold to Chile, China,
    India, South Korea and Turkey, Mr. Scharre said, and the Chinese are
    reported to have reverse-engineered their own variant..

    ``We call them precursors,'' Mary Wareham, advocacy director of the arms
    division at Human Rights Watch, said in an interview between meetings at the
    United Nations in Geneva. ``We're not quite there yet, but we are coming
    ever closer.''

    So when will more advanced lethal autonomous weapons systems be upon us?

    ``I think we're talking more about years not decades,'' she said.

    But for the moment, most weapons that use AI have a narrow field of use and
    aren't flexible. They can't adapt to different situations.

    ``One of the things that's hard to understand unless you've been there is
    just the messiness and confusion of modern warfare,'' Mr. Scharre said in an
    interview.''

    ``In all of those firefights,'' he explained, ``there was never a point
    where I could very clearly say that it was 100 percent that the person I was
    looking at down the scope of my rifle was definitely a combatant.

    Soldiers are constantly trying to gauge -- is this person a threat? How
    close can they get to me? If I tell them to stop, does that mean that they
    didn't hear me or they didn't understand? Maybe they're too frightened to
    react? Maybe they're not thinking? Or maybe they're a suicide bomber and
    they're trying to kill me and my teammates.''

    Mr. Scharre added, ``Those can be very challenging environments for robots
    that have algorithms they have to follow to be able to make clear and
    correct decisions.''

    Although current AI is relatively brittle, that isn't stopping militaries
    from incorporating it into their robots. In his book, which was published in
    2018, Mr. Scharre wrote that at least 16 countries had armed drones, adding
    that more than a dozen others were working on them.

    ------------------------------

    Date: Sat, 14 Dec 2019 09:02:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Earth Enters Unknown as Magnetic North Pole Continues Push Toward
    Russia, Crosses Greenwich Meridian (Sputnik News)

    *Earlier this year, US National Oceanic and Atmospheric Administration and
    the British Geological Survey (BGS) were forced to update the World Magnetic
    Model a year ahead of schedule due to the speed with which the magnetic
    north pole is shifting out of the Canadian Arctic and toward Russia's
    Siberia.*

    EXCERPT:

    The BGS and the US National Centers for Environmental Information has
    released a new update to the World Magnetic Model this week, confirming that
    the magnetic north pole, whose coordinates are crucial for the navigation
    systems used by governments, militaries and a slew of civilian applications,
    is continuing its push toward Siberia.

    ``The WMM2020 forecasts that the northern magnetic pole will continue
    drifting toward Russia, although at a slowly decreasing speed -- down to
    about 40 km per year compared to the average speed of 55 km over the past
    twenty years,'' the US agency said in a press statement.
    <World Magnetic Model 2020 Released>

    The data confirmed that this year, the magnetic north pole passed to within
    390 km of the geographic North Pole, and crossed the Greenwich (prime)
    meridian. Compilers also confirmed that the Earth's magnetic field is
    continuing to weaken, at a rate of about 5 percent every 100 years. [...]

    Earth Enters Unknown as Magnetic North Pole Continues Push Toward Russia, Crosses Greenwich Meridian

    ------------------------------

    Date: Sat, 14 Dec 2019 16:47:27 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: SpaceX to Make Starlink Satellites Dimmer to Lessen Impact on
    Astronomy (Scientific American)

    SpaceX to Make Starlink Satellites Dimmer to Lessen Impact on Astronomy.

    See SpaceX's Starlink Could Change The Night Sky Forever, And Astronomers
    Are Not Happy, for a brief note outlining astronomer's umbrage.
    The Risks Digest

    "So now the company plans to treat one of the Starlink satellites with a
    special coating, when the next group goes in late December, according to
    SpaceX president and chief operating officer Gwynne Shotwell."

    I wonder what's in SpaceX's 'secret anti-reflective' sauce? Hopefully, the
    coating won't chip or flake off the Starlink payload while deployed in
    orbit.

    ------------------------------

    Date: Sat, 14 Dec 2019 11:19:06 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Smart lock has a security vulnerability that leaves homes open for
    attacks (CNET)

    Yet another IOT vulnerability story:

    Smart lock has a security vulnerability that leaves homes open for attacks

    There are no details in the article, but it seems to be a case of
    unencrypted communication between a "smart lock" and the phone app which
    controls it.

    ------------------------------

    Date: Sun, 15 Dec 2019 11:17:50 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Scores of sex offenders have state licenses to be electricians,
    manicurists, and more. The official who found out got fired. (BostonGlobe)

    Scores of sex offenders have state licenses to be electricians, manicurists, and more. The official who found out got fired - The Boston Globe

    ------------------------------

    Date: Sun, 15 Dec 2019 21:02:52 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Is Alexa Always Listening? How Amazon, Google, Apple Hear, Record
    (Bloomberg)

    Bloomberg - Are you a robot?

    ------------------------------

    Date: Thu, 12 Dec 2019 23:10:55 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple Used the DMCA to Take Down a Tweet Containing an iPhone
    Encryption Key (VICE)

    Apple Used the DMCA to Take Down a Tweet Containing an iPhone Encryption Key - VICE

    ------------------------------

    Date: Fri, 13 Dec 2019 03:05:16 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Phone-breaking Android hole revealed (Gadget)

    Phone-breaking Android hole revealed

    ------------------------------

    Date: Sat, 14 Dec 2019 16:12:46 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Deepfakes are getting better. Should we be worried? (TheBostonGlobe)

    https://www.bostonglobe.com/2019/12/13/opinion/deepfakes-are-coming-what-do-we-do/

    ------------------------------

    Date: Sun, 15 Dec 2019 10:48:17 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Luggage tracking apps aren't 100% accurate. People are the weak
    link (LATimes)

    https://www.latimes.com/business/story/2019-11-06/airline-luggage-tracking-apps-problems

    ------------------------------

    Date: Mon, 16 Dec 2019 11:24:20 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Internet of crap encryption: IoT gear is generating easy-to-crack
    keys (The Register)

    https://www.theregister.co.uk/2019/12/16/internet_of_crap_encryption/

    ------------------------------

    Date: Tue, 17 Dec 2019 11:42:37 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Prime Leverage: How Amazon Wields Power in the Technology World
    (NYTimes)

    https://www.nytimes.com/2019/12/15/technology/amazon-aws-cloud-competition.html

    ------------------------------

    Date: Wed, 18 Dec 2019 09:03:30 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Cloud flaws expose millions of child tracking smartwatches
    (TechCrunch)

    https://techcrunch.com/2019/12/18/cloud-flaws-millions-child-watch-trackers/

    [Also noted by Gabe Goldberg. PGN]

    ------------------------------

    Date: Tue, 17 Dec 2019 11:28:45 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Thief Stole Payroll Data of 29,000 Facebook Employees (CISOmag)

    https://www.cisomag.com/thief-stole-payroll-data-of-29000-facebook-employees/

    ------------------------------

    Date: Tue, 17 Dec 2019 11:30:09 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Companies Ignoring Third-Party Breach Alerts (Security Boulevard)

    https://securityboulevard.com/2019/12/companies-ignoring-third-party-breach-alerts/

    ------------------------------

    Date: Tue, 17 Dec 2019 11:33:01 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Insurer Races to Fix Security Flaws After Whistleblower Alert
    (Bank Infosecurity)

    Report: Blue Cross and Blue Shield Minnesota Had Thousands of Old 'Critical'
    Vulnerabilities

    https://www.bankinfosecurity.com/in...urity-flaws-after-whistleblower-alert-a-13508

    ------------------------------

    Date: Tue, 17 Dec 2019 11:50:00 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Audit knocks Mass. tax-collection agency (The Boston Globe)

    `Incredibly sensitive' data is open to cyberattack at Mass. tax-collection
    agency, audit report says

    https://www.bostonglobe.com/metro/2...-tax-agency/D6SP1VxV5eGayVRYzZYCTL/story.html

    ------------------------------

    Date: Wed, 18 Dec 2019 15:50:10 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: How hacking the human heart could replace pill popping (BBC.com)

    This BBC article suggests that an implanted medical device can improve your
    quality of life.
    https://www.bbc.com/future/article/20191216-how-hacking-the-human-heart-could-replace-pill-popping

    Get an implanted device, fill it with your prescription(s), and set the
    dispensation timer (every X hours) or delivery trigger condition (blood
    glucose threshold). Convenient, no? With an implant, the recipient is
    relieved from fetching a glass of water to assist medicine consumption,
    "where is my medicine" moments, or "fingertip prick, blood glucose measure,
    and insulin inject" duties. Refill the reservoir periodically, like
    recharging a mobile electronic device.

    Device implantation is a highly personal choice: to sustain longevity, a
    candidate recipient may have no other options available to manage a chronic
    or acute condition. Elective device implantation is a significant
    life-changing and potentially life-threatening decision.

    What questions do you ask a medical provider who recommends device
    implantation? What information do you need to make an informed decision?
    What are the implanted device choices? What about post-implant quality of
    life? How will the implant either change, diminish, or improve life quality?
    How often are explants (device removals) performed for the candidate device
    choice? What are implant risks and their occurrence probabilities? Why does
    your physician recommend manufacturer X's device, and not a competitor Y's?
    Does your physician receive payment or other incentive from manufacturer X
    to implant their device? What criteria drive device selection that's
    relevant to your case?

    These questions are difficult for a patient to ask their physician. A
    patient often consciously relies on physician trust to guide a "go or no-go"
    decision. You hold your physician in high regard. You rely on them to treat
    you according to the Hippocratic Oath --- that's their career-long pledge to
    serve your interests. While you can often trust your physician, can you
    automatically extend this trust to the manufacturer that supplies the tools
    and devices a physician uses to treat your condition?

    I cannot give a binary 'yes' or 'no' answer. Risk, especially risks for
    implanted cardiac devices, constitutes a measure that is too important to
    ignore.

    In this note, I attempt to estimate an probability for adverse event
    experience arising in cardiac-related implantable device recipients: My
    analysis attempts to answer: "What is the probability of experiencing a
    malfunction or injury or death (identified as adverse events) following
    implantation of a pacemaker or defibrillator or electrical stimulus/sensing
    lead?"

    I use freely available public, and professionally vetted/reviewed,
    literature and government sources as noted below. Basic arithmetic is used
    for computation.

    [See http://catless.ncl.ac.uk/Risks/30/53#subj1.1 for a notable book on
    implanted medical devices and their risks -- especially as experienced by
    one person implanted with a neuro-stimulator.]

    FDA's MAUDE and TOTAL PRODUCT LIFE CYCLE
    (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.CFM)
    (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm)
    tools collate submitted device report records. They are used to capture
    adverse events (identified by the FDA as: DEATH, INJURY, MALFUNCTION, NOT
    SPECIFIED, OTHER) arising from, or possibly attributed to, implanted cardiac
    devices (defibrillators, pacemakers, electrical leads, etc.).

    To perform the analysis, I estimate an aggregate adverse event count over a
    given 42 month interval comprising 01JAN2016-31JUL2019. I use public sources
    of device implant rates to calculate a non-zero probability that an adverse
    event will impact a recipient. That the aggregation is applied across
    multiple product codes (as shown below), implies that a recipient is
    implanted with a defibrillator or pacemaker + electrical stimulus leads.

    I do not attempt to segregate and identify probabilities attributed to
    partial implant/explant, such as electrical stimulus lead explantation and
    implantation with a new one. The term 'device' used here implies pacemaker,
    defibrillator, and leads. It may also mean a big component of a pacemaker
    (pulse generator, but not the pacemaker's enclosure) or defibrillator that
    needs to be explanted or implanted.

    The FDA website clearly states a caveat about using MAUDE data to calculate
    event rates: "MAUDE data is not intended to be used either to evaluate rates
    of adverse events or to compare adverse event occurrence rates across
    devices." (See
    https://www.fda.gov/medical-devices...ser-facility-device-experience-database-maude).
    Caveat emptor!

    MAUDE content shows that on some calendar days, over 500 medical device
    reports are submitted. MAUDE's web interface will only retrieve a maximum of
    100 reports for any single day of interest (e.g. start date: 29JAN2017 and
    end date: 29JAN2017). Hitting the MAUDE retrieval limit during search may
    align with a manufacturer device recall campaign that requires a report
    submission storm to comply with regulations.

    The analysis was aided by pulling the raw zip files from
    https://www.fda.gov/medical-devices...ser-facility-device-experience-database-maude
    to process and cleanse them to enable evaluation. A few simple PYTHON
    programs were used in this process.

    MAUDE and TPLC afford a means to aggregate, to count, adverse event
    density. This density can be combined with published, peer-reviewed sources
    to estimate a post-implant adverse event occurrence probability. MAUDE
    substantially captures adverse event reports submitted by US-based
    healthcare providers, manufacturer device manufacturers, and recipients.
    Device manufacturers apparently submit the vast majority of MAUDE reports.

    A small percentage (guestimate is ~1-2%) are submitted from manufacturer
    device representatives or healthcare providers for recipient adverse events
    in other countries (e.g., Singapore-based device representatives or
    healthcare provider submitted ~1000 reports between 01JAN2016-31JUL2019, if
    memory serves). Other countries rely on the same manufacturers (MEDTRONIC,
    BOSTON SCIENTIFIC, BIOTRONIX GMBH, ST. JUDE MEDICAL, GUIDANT, GREATBATCH
    MEDICAL, OSCOR, etc.) as the US healthcare system for implantable cardiac
    devices.

    A patient's medical condition(s), and/or change in condition(s), often
    serves as a significant justification to prepare and submit a medical device
    report that characterizes an adverse event. Comprehensive cardiac and
    electrophysiological knowledge is required to accurately assess and properly
    characterize an adverse event.

    The investigation used the following MAUDE product codes, comprising 16
    distinct cardiac implantable device types, to estimate post-implant adverse
    event probability noted below.

    DTB|Permanent Pacemaker Electrode
    DTD|Pacemaker Lead Adaptor
    DXY|Implantable Pacemaker Pulse-Generator
    LWP|Implantable Pulse Generator, Pacemaker (Non-Crt)
    LWS|Implantable Cardioverter Defibrillator (Non-Crt)
    MRM|Defibrillator, Implantable, Dual-Chamber
    MXC|Recorder, Event, Implantable Cardiac, (Without Arrhythmia Detection)
    MXD|Recorder, Event, Implantable Cardiac, (With Arrhythmia Detection)
    NIK|Defibrillator, Automatic Implantable Cardioverter, With Cardiac
    Resynchronization (Crt-D)
    NKE|Pulse Generator, Pacemaker, Implantable, With Cardiac
    Resynchronization (Crt-P)
    NVN|Drug Eluting Permanent Right Ventricular (Rv) Or Right Atrial (Ra)
    Pacemaker Electrodes
    NVY|Permanent Defibrillator Electrodes
    NVZ|Pulse Generator, Permanent, Implantable
    OJX|Drug Eluting Permanent Left Ventricular (Lv) Pacemaker Electrode
    OSR|Pacemaker/Icd/Crt Non-Implanted Components
    PNJ|Leadless Pacemaker

    Each MAUDE product code identifier consist of 3 alphabetic characters. They
    are assigned to medical devices as part of FDA device registration and
    approval processes. Each product code consists of devices of similar type
    and function from different manufacturers. Thus, the NVY product code
    encompasses the class of Permanent Defibrillator Electrodes manufactured or
    sold into the global marketplace that is subject to FDA regulation.

    The TPLC tool aggregates adverse events for product codes, but assigns
    unique terms to segregate event attribution into defect categories. As an
    example, the DTB product code (Permanent Pacemaker Electrode) reveals this
    TOP-10 tabular summary (TOTAL COUNT == 59835) reported and full traceable to
    the MAUDE system since 2016:

    DEVICE PROBLEMS COUNT

    High Capture Threshold 9132
    Under-Sensing 7738
    Over-Sensing 7525
    Adverse Event Without
    Identified Device or Use
    Problem 7523
    Device Dislodged or
    Dislocated 7055
    High impedance 6255
    Failure to Capture 5155
    Capturing Problem 3303
    Fracture 3299
    Signal Artifact 2850

    Under-sensing occurs when the pacemaker signal amplifier is too insensitive
    -- the gain is too low -- to detect a portion of the recipient's native
    electrical heart activity. In contrast, Over-sensing occurs if the pacemaker
    signal amplifier gain is too high, leading the device to detect
    inappropriate signals, like skeletal muscle movements.

    The TPLC counts, and their assigned categories, are prepared and maintained
    by an FDA panel who review the MAUDE adverse event reports. The 'DEVICE
    PROBLEM' labels comprise an arcane lexicon that non-subject matter
    specialists struggle to interpret. A dictionary of TPLC category labels was
    not found in the FDA website.

    Based on the raw MAUDE records (downloaded in AUG2019), an analysis reveals
    that 240,232 device MALFUNCTIONS, INJURIES, DEATHS, NOT SPECIFIED, and OTHER
    adverse event records were reported between 01JAN2016-31JUL2019 (42 calendar
    months) for the 16 scoped cardiac-specific product code set. This adverse
    event population might arise from accelerated battery discharge, lead
    displacement, inappropriate shock, and over 100 unique classification terms
    that characterize MAUDE medical device reports in TPLC.

    The adverse incident density is notable. It likely implies, but does not
    guarantee, that ~240,000 UNPLANNED physician and emergency care center
    visits by device recipients. Some events may have been reported via Internet
    monitoring, and deemed not sufficient to merit a provider visit on
    inspection by the attendant. But we assume this event set constitutes an
    insignificant fraction (<<1%) during the 42 month reporting interval.

    This paper
    (https://academic.oup.com/europace/article/19/suppl_2/ii1/4100657) from the
    European Heart Rhythm Association (EHRA) estimates that 1.25 Million
    pacemakers were implanted in 2016 worldwide. It further estimates an
    implantation rate of ~520 per million (~52 per 100,000) population. The EHRA
    pacemaker recipient average age is ~78 +/- 9 years.

    In the US, the Agency for Healthcare Research and Quality (ahrq.gov)
    reported 2015 statistics for pacemaker AND defibrillator implantation rate
    of ~55 per 100,000 population, a value which substantially aligns with the
    EHRA 2106 study. U.S. recipient's average age is ~72 years. The reporting
    tool @ https://hcupnet.ahrq.gov/#setup yields this report after a little
    setup.

    The total recipients for device implantation, in the US, is given by the
    rate of implantation per 100,000 times the total population:

    In 2016, US census estimates 328,677,530 population. That's 3286.7 * 100,000
    persons. 55 recipients/100,000 * (3286.7 * 100,000) ~= 180,768 recipients of
    defibrillator, pacemaker and device leads in 2016. This aggregate also
    includes device explants -- removal of pacemaker, defibrillator and leads.

    For the 42 month MAUDE reporting interval (01JAN2016-30JUL2019), we have
    240,232 adverse event reports or 5,720 reports per month.

    5,720 adverse events per month DIVIDED by 180,768 cardiac device recipients
    = 3.16% probability to experience a monthly adverse event per 2016 census
    data.

    If ~3% of implanted cardiac device recipients experience unplanned
    healthcare provider visitations, it represents a significant tax on the
    delivery system -- an extra ~5720 unplanned visits.

    Device recipients often have no alternative other than implantation to
    sustain their longevity. The estimated adverse event rate from implanted
    cardiac devices suggests that device manufacturers must pursue methods to
    suppress adverse events that initiate unplanned visits.

    If implanted device sensing issues constitute a significant cause of
    unplanned visits, it suggests that signal processing algorithms may require
    enhancement. Sustained research to improve implanted device reliability must
    become an industrial priority.

    Before electing to receive a prescription-dispensing implant, especially for
    cardiac care, ask your healthcare provider to offer statistics about adverse
    events that may initiate an unplanned visit. It is imperative for
    well-informed consumers to understand and consider the risks arising from
    implanted devices BEFORE the procedure.

    Glossy manufacturer product literature may not detail sufficient historical
    adverse event probabilities for a device implant that informed consumer
    choice requires.

    Exploring FDA's medical device "systems of record," as embodied by the FDA's
    MAUDE and TPLC data repositories and reporting tools, can be enlightening
    and frightening. Substantial technical information about manufacturer
    implanted device issues are identifiable that may impact your decision to
    integrate them into your physiology. Implanted medical device manufacturer
    success depends on consistently beneficial patient outcomes. While
    apparently small, a demonstrable risk weighs against achievement.

    ------------------------------

    Date: Tue, 17 Dec 2019 13:05:18 +0000
    From: Stephen Mason <stephe...@stephenmason.co.uk>
    Subject: Bates v Post Office litigation - reliability of computers

    You might have picked up that the judge issued his (313 page) judgment
    yesterday with 3 appendices in the English case of Bates v Post Office
    Limited. They are all available here:
    https://www.judiciary.uk/judgments/bates-others-v-post-office/

    I am told by Tim McCormack [https://problemswithpol.wordpress.com/] that the
    judge went into detail about the meaning of *robust* -- although only
    discussing what the two parties had to say on the topic, and none of the
    discussions in chapter 6 of Electronic Evidence were discussed at all [the
    solicitors and barrister for the claimants were made aware of the
    practitioner text Electronic Evidence].

    [Stephen, Don't forget *resilience*; robustness is not enough. PGN]

    Electronic Evidence is open source and a download from here:
    http://ials.sas.ac.uk/about/about-us/people/stephen-mason

    Here are 3 relevant posts in relation to the opening speech of the barrister
    for the Post Office:

    The use of statistics and software code
    https://ials.blogs.sas.ac.uk/2019/06/26/the-use-of-statistics-and-software-code/

    The use of the word *robust* to describe software code
    https://ials.blogs.sas.ac.uk/2019/06/25/the-use-of-the-word-robust-to-descri
    be-software-code/


    Robustness and reliability in computer systems
    https://ials.blogs.sas.ac.uk/2019/06/28/robustness-and-reliability-in-computer-systems/

    I will begin to read through the judgment over the next few days/weeks, and
    compare it to the transcript of the trial of Seem Misra, where the
    prosecution kept on asserting the system was robust then. I published the
    complete transcript of the Seema Misra case here:

    Introduction: https://journals.sas.ac.uk/deeslr/article/view/2217

    Transcript at the bottom of this page:
    https://journals.sas.ac.uk/deeslr/issue/view/328

    I'd appreciate people's thoughts on this when you get around to looking at
    it.

    The importance of this case is this: Seema Misra and others were prosecuted,
    and reliance was made on the robustness of the Horizon system without any
    evidence that the system was robust or what robust meant. It also appears
    that evidence given at her trial was dubious. I aim to bring out these
    issues, and wondered whether if anybody had the time and patience to
    consider an article for next year's Digital Evidence and Electronic
    Signature Law Review? https://journals.sas.ac.uk/index.php/deeslr (also
    available via the HeinOnline subscription service).

    We are going to do a 5th edition of Electronic Evidence next year, coming
    out in 2021, and it would be very helpful to have a technical view on these
    issues for me to cite.

    Central to the issues are the failure of judges to order greater disclosure
    of software, which I pointed out in my article ``Artificial intelligence: Oh
    really? And why judges and lawyers are central to the way we live now -- but
    they don't know it'', Computer and Telecommunications Law Review, 2017,
    Volume 23, Issue 8, 213--225.

    Disclosure was an issue in Seema Misra's case - it appears that people were
    happy to prosecute a person on the flimsiest of evidence.

    ADDED NOTE:
    I have another URL for the judgment - this includes the appendices:
    http://www.bailii.org/ew/cases/EWHC/QB/2019/3408.pdf

    ------------------------------

    Date: Sun, 15 Dec 2019 11:45:10 -0500
    From: Dick Mills <dickandl...@gmail.com>
    Subject: Re: Election Security regulations in the U.S. (RISKS-31,50)

    I agree about election security, but I think the need for regulation of
    recounts is even more urgent.

    In the USA, we are cursed by close elections where every vote counts.

    Recounts after close elections too often lead to viscous fights over recount
    procedures. It seems like every county makes up the rules as they go along.
    Paper ballots or paper receipts multiply the possibilities for recount
    fraud. IMO, recount flaws weaken public confidence even more than election
    flaws.

    We need a detailed national standard for how to handle recounts.

    ------------------------------

    Date: Wed, 18 Dec 2019 15:06:03 +0000
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: What happens if your mind lives for ever on the Internet?
    (Shapir, RISKS-31.50)

    > That's because in this context, "human intelligence" is a moving target.
    > Until the 1960's, looking up a name and number in a phone book was
    > considered a task of human intelligence;

    This is incorrect. The definition of "machines as intelligent as humans" was
    established back in 1950 in the seminal paper by Alan Turing: "Computing
    Machinery and Intelligence" which described the "Turing Test". It should
    (still) be required reading for any software engineer.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.51
    ************************
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    RISKS List Owner

    Jan 2, 2020 4:28 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 2 January 2020 Volume 31 : Issue 52

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    China flight systems jammed by pig farm's African swine fever defences
    (SCMP)
    Boeing spacecraft lands safely in New Mexico desert, a successful end to a
    flawed test mission (The Washington Post)
    Laser-based attacks for controlling voice-activated systems such as
    Amazon's Alexa (Light Commands)
    Science Under Attack: How Trump Is Sidelining Researchers and Their Work
    (The NY Times)
    Bumble blocked Sharon Stone, thinking she was a fake (WashPost)
    U.S. Coast Guard discloses Ryuk ransomware infection at maritime facility
    (DCO)
    CIA devised way to restrict missiles given to allies, researcher says
    (Reuters)
    Chinese Cloud Hopper hacking campaign is worse than thought (The Verge)
    Wawa Data Breach: DC, VA Customers Could Be Affected (Patch)
    Hackers steal data for 15 million patients, then sell it back to
    lab that lost it (Ars Technica)
    Executive dies, taking investor cryptocurrency with him. Now they want the
    body exhumed (Charlie Osborne)
    Driving surveillance: What does your car know about you? We hacked a 2017
    Chevy to find out. (WashPost)
    Cars towed in South End due to city error (The Boston Globe)
    How tourists take their lives into their own hands (WashPost)
    Some junk for sale on Amazon is very literally garbage, report finds
    (ArsTechnica)
    This alleged Bitcoin scam looked a lot like a pyramid scheme (WiReD)
    Apple's new Screen Time Communication Limits are easily beaten with a bug
    (ArsTechnica)
    2019 Apple Platform Security guide shows what it is doing to 'push the
    boundaries' of security and privacy (9to5Mac)
    Wave of Ring surveillance camera hacks tied to podcast, report finds
    (Ars Technica)
    How to Track President Trump (*The New York Times*)
    India's Internet shutdown shows normal practice for sovereign countries
    (Prashanth Mundkur)
    Resignation of Board Members from Verified Voting (Rebecca Mercuri)
    Meet Cliff Stoll, the Mad Scientist Who Invented the Art of Hunting Hackers
    (WiReD)
    Planned Obsolescence (npr.org)
    Re: Human error installing SCADA system leads to 7.5 million gallons of, raw
    sewage dumped in Valdosta, GA (Martin Ward)
    Re: What happens if your mind lives for ever on the Internet? (Amos Shapir,
    Roderick Rees)
    Re: Bates v Post Office litigation: reliability of computers
    (Kelly Bert Manning)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Sat, 21 Dec 2019 18:23:25 -0500
    Subject: China flight systems jammed by pig farm's African swine fever
    defences (SCMP)

    China flight systems jammed by pig farm’s African swine fever defences

    ------------------------------

    Date: Sun, 22 Dec 2019 10:26:18 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Boeing spacecraft lands safely in New Mexico desert, a successful
    end to a flawed test mission (The Washington Post)

    Because of a software problem, the uncrewed capsule had to abort its flight
    to the International Space Station

    https://www.washingtonpost.com/tech...co-desert-successful-end-flawed-test-mission/

    ------------------------------

    Date: Tue, 31 Dec 2019 10:44:26 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Laser-based attacks for controlling voice-activated systems
    such as Amazon's Alexa.

    Light Commands

    [Thanks to Steven Cheung at SRI.]

    ------------------------------

    Date: December 29, 2019 18:46:13 JST
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Science Under Attack: How Trump Is Sidelining Researchers and Their
    Work (The NY Times)

    Brad Plumer and Coral Davenport, *The New Work Times*, 28 Dec 2019
    [Long item truncated for RISKS. PGN]

    In three years, the administration has diminished the role of science in
    policymaking while disrupting research projects nationwide. Experts say the
    effects could be felt for years.

    Science Under Attack: How Trump Is Sidelining Researchers and Their Work

    WASHINGTON -- In just three years, the Trump administration has diminished
    the role of science in federal policymaking while halting or disrupting
    research projects nationwide, marking a transformation of the federal
    government whose effects, experts say, could reverberate for years.

    Political appointees have shut down government studies, reduced the
    influence of scientists over regulatory decisions and in some cases
    pressured researchers not to speak publicly. The administration has
    particularly challenged scientific findings related to the environment and
    public health opposed by industries such as oil drilling and coal mining. It
    has also impeded research around human-caused climate change, which
    President Trump has dismissed despite a global scientific consensus.

    But the erosion of science reaches well beyond the environment and climate.
    [...]

    ``When we decapitate the government's ability to use science in a
    professional way, that increases the risk that we start making bad
    decisions, that we start missing new public health risks,'' said Wendy
    E. Wagner, a professor of law at the University of Texas at Austin who
    studies the use of science by policymakers.

    ------------------------------

    Date: Tue, 31 Dec 2019 03:48:35 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Bumble blocked Sharon Stone, thinking she was a fake (WashPost)

    “Looks like our users thought you were too good to be true,” the company
    wrote to Stone on Twitter.

    https://www.washingtonpost.com/busi...s-thought-she-was-impersonating-sharon-stone/

    ------------------------------

    From: geoff goodfellow <ge...@iconia.com>
    Date: Tue, 31 Dec 2019 11:05:05 -1000
    Subject: U.S. Coast Guard discloses Ryuk ransomware infection at maritime
    facility (DCO)

    *Ransomware infection led to a disruption of camera and physical access
    control systems, and loss of critical process control monitoring systems*

    EXCERPT:

    An infection with the Ryuk ransomware took down a maritime facility for more
    than 30 hours; the US Coast Guard said in a security bulletin it published
    before Christmas.
    <https://www.dco.uscg.mil/Portals/9/DCO Documents/5p/MSIB/2019/MSIB_10_19.pdf>

    The agency did not reveal the name or the location of the port authority;
    however, it described the incident as recent.

    "Forensic analysis is currently ongoing but the virus, identified as 'Ryuk'
    ransomware," the US Coast Guard (USCG) said in a security bulletin meant to
    put other port authorities on alert about future attacks. POINT OF ENTRY:
    PHISHING EMAIL

    USCG officials said they believe the point of entry was a malicious email
    sent to one of the maritime facility's employees.

    "Once the embedded malicious link in the email was clicked by an employee,
    the ransomware allowed for a threat actor to access significant enterprise
    Information Technology (IT) network files, and encrypt them, preventing the
    facility's access to critical files," the agency said.

    The USCG security bulletin describes a nightmare scenario after this point,
    with the virus spreading through the facility's IT network, and even
    impacting "industrial control systems that monitor and control cargo
    transfer and encrypted files critical to process operations."

    Coast Guard officials said the Ryuk infection caused "a disruption of the
    entire corporate IT network (beyond the footprint of the facility),
    disruption of camera and physical access control systems, and loss of
    critical process control monitoring systems."

    The maritime facility -- believed to be a port authority -- was forced to
    shut down its entire operations for more than 30 hours, the Coast Guard
    said.

    INCREASE IN MARITIME CYBER THREATS...

    US Coast Guard discloses Ryuk ransomware infection at maritime facility | ZDNet

    ------------------------------

    Date: Tue, 31 Dec 2019 11:03:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: CIA devised way to restrict missiles given to allies, researcher
    says (Reuters)

    EXCERPT:

    The U.S. Central Intelligence Agency has devised technology to restrict the
    use of anti-aircraft missiles after they leave American hands, a researcher
    said, a move that experts say could persuade the United States that it would
    be safe to disseminate powerful weapons more frequently.

    The new technology is intended for use with shoulder-fired missiles called
    Man-Portable Air-Defense Systems (MANPADS), Dutch researcher Jos Wetzels
    told a cybersecurity conference here in Leipzig, Germany on Saturday.
    Wetzels said the system was laid out in a batch of CIA documents published
    by WikiLeaks in 2017 but that the files were mislabeled and attracted little
    public attention until now.

    Wetzels said the CIA had come up with a *smart arms control solution* that
    would restrict the use of missiles ``to a particular time and a particular
    place.'' The technique, referred to as *geofencing*, blocks the use of a
    device outside a specific geographic area.

    Weapons that are disabled when they leave the battlefield could be an
    attractive feature. Supplied to U.S. allies, the highly portable missiles
    can help win wars, but they have often been lost, sold, or passed to
    extremists...

    CIA devised way to restrict missiles given to allies, researcher says

    ------------------------------

    From: geoff goodfellow <ge...@iconia.com>
    Date: Tue, 31 Dec 2019 11:04:06 -1000
    Subject: Chinese Cloud Hopper hacking campaign is worse than thought
    (The Verge)

    *Much worse than original reported*

    The global hacking campaign known as *Cloud Hopper* perpetrated by
    government-sponsored Chinese hackers was much worse than originally
    reported, according to an investigation by the *Wall Street Journal*
    <Ghosts in the Clouds: Inside China’s Major Corporate Hack> you should read in full.

    The report says that at least a dozen cloud providers were affected, but
    focuses on HP to illustrate the severity of the intrusions and the tactics
    used to attack and defend. ``The Journal found that Hewlett Packard
    Enterprise Co. was so overrun that the cloud company didn't see the hackers
    re-enter their clients' networks, even as the company gave customers the
    all-clear.''

    ``Inside the clouds, the hackers, known as APT10 to Western officials and
    researchers, had access to a vast constellation of clients. The Journal's
    investigation identified hundreds of firms that had relationships with
    breached cloud providers, including Rio Tinto, Philips, American Airlines
    Group Inc., Deutsche Bank AG, Allianz SE, and GlaxoSmithKline PLC.'' [...]

    ``They came in through cloud service providers, where companies thought
    their data was safely stored. Once they got in, they could freely and
    anonymously hop from client to client, and defied investigators' attempts to
    kick them out for years.''

    A lot of this was known in broad terms, as revealed by a *Reuters*
    investigation in June.
    <Stealing Clouds>
    The more detailed *WSJ* investigation
    <Ghosts in the Clouds: Inside China’s Major Corporate Hack>
    shows just how vulnerable our data is when stored by a third party, and how
    aggressively state-sponsored hackers continue to pursue it.

    Go read this ‘Cloud Hopper’ hacking investigation by the WSJ

    ------------------------------

    Date: Thu, 19 Dec 2019 23:38:49 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Wawa Data Breach: DC, VA Customers Could Be Affected (Patch)

    Wawa Data Breach In DC, Virginia; All Stores Affected

    ------------------------------

    Date: Fri, 20 Dec 2019 11:32:01 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers steal data for 15 million patients, then sell it back to
    lab that lost it (Ars Technica)

    https://arstechnica.com/information...or-the-return-of-data-of-15-million-patients/

    ------------------------------

    Date: Wed, 18 Dec 2019 17:19:23 -0800
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Executive dies, taking investor cryptocurrency with him. Now they
    want the body exhumed (Charlie Osborne)

    ["Paging Monty Python ..."]

    Charlie Osborne for Zero Day | 18 Dec 2019
    https://www.zdnet.com/article/an-ex...ency-with-him-now-they-want-the-body-exhumed/
    Executive dies, taking investor cryptocurrency with him. Now they want the
    body exhumed. The CEO of Quadriga was the only one who could access user
    funds, but claims of his death have not satisfied everyone.

    opening text:

    The former Quadriga CX CEO Gerald Cotten died suddenly this year, taking the
    keys required to access cryptocurrency funds belonging to investors with
    him.

    Now, these same traders, devoid of millions in investment, have requested
    that the body of the firm's former CEO be exhumed to confirm his death.


    [Monty Solomon noted this on Ars Technica:
    Exhume dead cryptocurrency exec who owes us $250 million, creditors demand
    https://arstechnica.com/information...exhume-ceo-who-took-250-million-to-his-grave/
    PGN]

    ------------------------------

    Date: Thu, 26 Dec 2019 17:08:53 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Driving surveillance: What does your car know about you? We hacked
    a 2017 Chevy to find out. (WashPost)

    https://www.washingtonpost.com/tech...-car-know-about-you-we-hacked-chevy-find-out/

    ------------------------------

    Date: Sat, 21 Dec 2019 11:53:06 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cars towed in South End due to city error (The Boston Globe)

    https://www.boston.com/news/local-news/2019/12/20/south-end-cars-towed-city-error

    ------------------------------

    Date: Mon, 23 Dec 2019 09:58:25 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: How tourists take their lives into their own hands (WashPost)

    https://www.washingtonpost.com/opin...8a30d8-2342-11ea-bed5-880264cc91a9_story.html

    This essay describes a two-step risk process which tourists consciously (or
    unconsciously) perform when considering travel destination activities.

    The process is apparently not unique to vacation planning, but seems to
    characterize the conduct in large, human-structured entities such as
    businesses, and governments. Organizational structures, when unethically or
    capriciously governed, can manufacture products or publish services that
    injure public health and safety.

    > From the article, the process is outlined as:

    a) Risk Denied -- Trek to an active volcano for a once in a lifetime
    photograph. For White Island, the volcano's historical and current eruption
    potential/activity level has been tracked since 1975 and available via
    https://www.geonet.org.nz/about/volcano/whiteisland.

    b) Risk Economized -- Business profit priority over rigorous life cycle
    practices compromise public safety. Messages from 2016, prior to 737 MAX
    deployment certification, indicated flight simulation MCAS anomalies that
    were not communicated to regulators (until very recently), and were
    generally shirked by senior Boeing governance given triple constraint
    (scope, schedule, cost) impact.

    Risk: Governance situation awareness denial, aka myopia.

    ------------------------------

    Date: Fri, 20 Dec 2019 11:35:00 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Some junk for sale on Amazon is very literally garbage, report finds
    (ArsTechnica)

    https://arstechnica.com/tech-policy...mazon-is-very-literally-garbage-report-finds/

    ------------------------------

    Date: Fri, 20 Dec 2019 11:44:27 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: This alleged Bitcoin scam looked a lot like a pyramid scheme (WiReD)

    https://www.wired.com/story/alleged-bitcoin-scam-like-pyramid-scheme/

    ------------------------------

    Date: Fri, 20 Dec 2019 11:46:10 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Apple's new Screen Time Communication Limits are easily beaten with
    a bug (ArsTechnica)

    https://arstechnica.com/gadgets/201...nication-limits-are-easily-beaten-with-a-bug/

    ------------------------------

    Date: Sat, 21 Dec 2019 00:45:34 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 2019 Apple Platform Security guide shows what it is doing to 'push
    the boundaries' of security and privacy (9to5Mac)

    https://9to5mac.com/2019/12/19/2019...-push-the-boundaries-of-security-and-privacy/

    ------------------------------

    Date: Fri, 20 Dec 2019 11:49:56 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Wave of Ring surveillance camera hacks tied to podcast, report
    finds (Ars Technica)

    https://arstechnica.com/tech-policy...ce-camera-hacks-tied-to-podcast-report-finds/

    ------------------------------

    Date: Sat, 21 Dec 2019 17:14:38 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How to Track President Trump (*The New York Times*

    https://www.nytimes.com/interactive/2019/12/20/opinion/location-data-national-security.html

    ------------------------------

    Date: Thu, 19 Dec 2019 05:38:26 +0000
    From: Prashanth Mundkur <prashant...@sri.com>
    Subject: India's Internet shutdown shows normal practice for sovereign
    countries (People.CN)

    China is now using Indian actions to shut down the Internet as a
    justification for its own throttling:

    17 Dec 2019
    http://en.people.cn/n3/2019/1217/c90000-9641267.html

    ------------------------------

    Date: Thu, 19 Dec 2019 19:36:42 -0500
    From: Rebecca Mercuri <not...@mindspring.com>
    Subject: Resignation of Board Members from Verified Voting

    [News summary provided by Rebecca Mercuri, Ph.D. <mer...@acm.org>.]

    https://www.fastcompany.com/9044155...-it-has-been-endorsing-untrustworthy-machines

    Richard DeMillo <https://www.cc.gatech.edu/people/richard-demillo>, a
    Georgia Tech professor who sat on Verified Voting’s advisory board, and UC
    Berkeley statistics professor and associate dean Philip Stark
    <https://www.stat.berkeley.edu/~stark/>, a VV board member, have resigned
    from the advocacy group, stating that they believe that Verified Voting has
    been giving election officials false confidence in some voting machines and
    providing cover for the companies that make and sell these machines.

    In DeMillo's December 1 resignation letter to Barbara Simons (chair of VV's
    board of directors), he claimed that ``Verified Voting’s policy positions
    were unpredictable, contradictory, and not aligned with the values I once
    believed we shared. On more than one occasion, Verified Voting has taken
    contradictory public stances in the span of a few days, undercutting allies
    and supporters. The pattern of espousing new positions and making public
    statements that take local VV stakeholders by surprise is nothing
    new. Rather than seeking out advice, Verified Voting has gone to great
    lengths to avoid it.''

    With respect to VV's involvement in a Risk Limiting Audit (RLA) pilot in
    Georgia, DeMillo claimed that ``Verified Voting's seal of approval for the
    security theatrics in Bartow County undermines efforts to make elections
    more accountable. ... No audit based on an untrustworthy audit trail can
    confirm the correctness of the outcome. Billing such an exercise as an RLA
    and touting it as a proof of security plays into the hands of cynics.''

    Stark, who resigned on November 21, accused VV of being on the *wrong side*
    saying: ``Our message to jurisdictions that buy poorly designed, insecure,
    universal-use BMD [ballot marking device systems] should be, `We tried to
    warn you. You need a better voting system' ... Instead, we're saying, ‘Don't
    worry: VV will teach you to sprinkle magic RLA dust and fantasies about
    parallel testing on your untrustworthy election. All will be fine; you can
    use our authority and reputation to silence your critics.''

    ------------------------------

    Date: Thu, 19 Dec 2019 23:36:51 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Meet Cliff Stoll, the Mad Scientist Who Invented the Art of Hunting
    Hackers (WiReD)

    https://www.wired.com/story/meet-the-mad-scientist-who-wrote-the-book-on-how-to-hunt-hackers/

    ------------------------------

    Date: Fri, 20 Dec 2019 18:08:40 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Planned Obsolescence (npr.org)



    [NOTE: See http://catless.ncl.ac.uk/Risks/30/11#subj7.1 for the first
    mention of 'Phoebus Cartel' in comp.risks.]

    Planned obsolescence encompasses two key business priorities that fuel the
    consumer marketplace:

    1) Products are designed and manufactured to fail within a certain service
    lifetime interval;

    2) Product obsolescence promotes incremental improvements, and new versions
    become available for consumer purchase, often promoted as 'greener,
    reduced operational cost expenditure, faster, more reliable, etc.' than
    their predecessors to induce sales.

    Brand loyalty or guilt from being 'left behind' can compel a repurchase
    decision.

    Light bulbs were originally designed and manufactured to never fail. Their
    nascent longevity and resilience testifies to engineering pride and
    demonstrable human ingenuity. However, light bulb manufacturing businesses
    observed that a marketplace saturated with very durable illumination
    products limits future sales: revenue capture and realization stall, and
    long-term profit potential and earnings drop.

    And the light bulb's initially immutable nature, since reduced to ~1000
    continuous hours (for the old wire filament type), taught business that
    product innovation via incremental change can promote future profit
    generation.

    In structured business organizations, product change embodies processes
    governed according to a risk management framework that weighs requirements,
    process alternatives, and operational key performance metrics against
    concrete business outcome potentials (market-share capture and revenue
    growth, reputation improvement, etc.).

    For technological devices, a new software revision or hardware enhancement
    represents a product change that requires sophisticated, accountable, and
    ethically motivated process governance. The evolution or introduction of
    cellphones, smart home appliances, aircraft maneuvering augmentation
    systems, pharmaceutical infusion devices, robotic surgery platforms,
    implanted medical devices, etc. epitomize incremental technological change.

    Tom Wolfe's "The Right Stuff" states concisely: "No bucks, no Buck Rogers."
    Technological change is "Buck Rogers." Incremental product change requires
    investment. Risk -- to the public, to the business, to the environment --
    arises from change, especially so for software, multi-billion transistor
    chips, neuromorphics, memristors, quantum computers, etc. The creators and
    builders of these products constitute considerable business expenses;
    intellectual property innovation is not free, unless it is stolen.

    Business risk planning and mitigation cannot be 100% complete or
    accurate. Capricious collaboration, peculiar organizational behavior, and
    mistake can be inimical to successful risk planning initiatives. Perfection
    does not, and cannot, exist anywhere in a business or project life cycle
    context.

    Technological systems or devices embody complexity that cannot be completely
    characterized or profiled for risk. Consequently, product failures, or
    unexpected field operations, materialize as consumer inconvenience, brand
    outrage, and/or fatality.

    An ethical and accountable governance process is expected to engage to
    forestall catastrophe when change management processes are pressurized or
    corrupted to overlook relevant risks that potentially sacrifice product
    viability, especially if public safety is jeopardized by these
    circumstances.

    Product change abandonment, and conscientious evaluation by root cause
    analysis is essential when potential business profit sacrifice assumes
    priority over public risk exposure. A product that does no harm is more
    likely to sell than one that injures the public. Automobiles constitute an
    acknowledge exception on this point, as do fire-arms, cigarettes, opioid
    pharmaceuticals, etc. All of these products are subject to regulation and
    enforcement in the US. Regulatory enforcement effectiveness is unfortunately
    debatable.

    Business risk blindness, and profit pursuit, have repeatedly jeopardized
    public safety. In an era where regulatory arbitrage, and regulatory capture,
    enables and sponsors risk blindness, profit motives become brand outrage's
    and disaster's bridesmaid. Rigorous regulatory structures, strict
    enforcement and penalties that deters reckless business governance conduct
    is essential. Businesses must cease exploitation of product change that
    sacrifices public blood and treasure.

    ------------------------------

    Date: Fri, 20 Dec 2019 16:16:30 +0000
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Human error installing SCADA system leads to 7.5 million
    gallons of, raw sewage dumped in Valdosta, GA (RISKS-31.51)

    The cause is described as "human error": but surely it is a design
    error if a disconnected sensor is indistinguishable from a connected
    sensor reporting that everything is OK?

    ------------------------------

    Date: Sat, 21 Dec 2019 17:32:06 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: What happens if your mind lives forever on the Internet?
    (Ward, RISKS-31.51)

    Of course I'm aware of the Turing Test, but I think its definition of an
    "evaluator" who cannot distinguish between a human and a machine on-line, is
    also a moving target. The more we're used to interacting with "talking
    machines", the more we become adept at distinguishing between these and
    "real" humans.

    I think no machine could ever fool its own creators; for them, at least, the
    answer to the question "When will machines become as intelligent as humans",
    would therefore always be "20 year from now".

    ------------------------------

    Date: Thu, 19 Dec 2019 15:22:38 -0800
    From: Roderick Rees <jp3va...@gmail.com>
    Subject: Re: What happens if your mind lives forever on the Internet?

    Martin Ward writes that The definition of "machines as intelligent as
    humans" was established back in 1950 in the seminal paper by Alan Turing:
    "Computing Machinery and Intelligence", which described the "Turing Test".
    It should (still) be required reading for any software engineer.


    The concept of machine intelligence is faulty because there is o clear and
    generally accepted concept of human intelligence. It is not merely the
    intellectual capability of manipulating logic, and humans survived very well
    for a long time without formal logic.

    Also, despite Turing's clearly superior mathematical mind, he did not
    sufficiently understand human thinking. For consider, in the early days of
    language and thinking with language, there was no need to distinguish
    between speech from a human and speech from, say, a rock. If you heard
    speech, then of course you would normally assume it was a human speaking.
    And the first recorded case of a human reacting to words from a machine as
    if they were from a human was in the Doctor and Eliza experiments, with only
    the most primitive processing of language. The "Turing Test" is not valid.

    ------------------------------

    Date: Tue, 31 Dec 2019 14:41:39 -0500 (EST)
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Bates v Post Office litigation: reliability of computers
    (RISKS-31.51)

    There is an older UK case, going back to around Eternal September or before,
    involving a British Police Officer who was initially convicted of attempted
    fraud simply for asking about the details of an unrecognized withdrawal from
    his bank account.

    I will check old dead tree issues of *Privacy Journal* to see if I can
    find more details in those.

    If memory serves the only detail he ever got from the bank was a clerk
    asking him if he enjoyed his Irish Vacation. He had not been to Ireland.

    The bank had a draconian response to his simple request for details of what
    we would now regard as an obvious case of ATM error or card cloning fraud
    insisting that the Officer was trying to defraud them, rather than providing
    details such as the location of the ATM and the time of day.

    The Officer was convicted at the lowest level court, which got him fired, as
    well as convicted. Things only turned around when the British Computer
    Society got involved, providing Expert Opinion during the appeal about the
    unreliability of the bank's ATM system and supposed iron clad
    evidence. "Trust us, it is all in the computer and the computer is always
    correct" should never be allowed to pass unchallenged in court.

    ------------------------------

    Date: Thu, 19 Dec 2019 10:32:19 -0500 (EST)
    From: poi...@pobox.com (Don Poitras)
    Subject: Re: RISKS-31.51

    > In the USA, we are cursed by close elections where every vote counts.
    > Recounts after close elections too often lead to viscous fights over recount

    I for one, would love to see those "viscous" fights filmed and put up on
    you-tube. Perhaps we could make the politicians fight it out in huge tubs
    of honey.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.52
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.53

    RISKS List Owner

    Jan 6, 2020 8:01 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 6 January 2020 Volume 31 : Issue 53

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [Happy New Year?]
    The Ghost of Y2K hits Hamburg (Hamburger Abendblatt)
    Software Glitch Affects 14,000 New York City Parking Meters (WSJ+)
    The Internet Is No Longer a Disruptive Technology (Bloomberg)
    'Shattered' -- Inside the secret battle to save America's undercover
    spies in the digital age (WashPost)
    737 MAX Crashes Strengthen Resolve of Boeing to Automate Flight (WSJ + NYT
    item)
    Europe rejects patent applications signed with AI inventor (Charlie Osborne)
    Amazon' Next-Day Delivery Has Brought Chaos And Carnage To America's
    Streets, But The World' Biggest Retailer Has A System To Escape The Blame
    (Michelle Thompson)
    Company shuts down because of ransomware, leaves 300 without jobs just
    before holidays (Catalin Cimpanu)
    Fresh Cambridge Analytica leak 'shows global manipulation is out of control'
    (Carole Cadwalladr)
    Re: What happens if your mind lives forever on the Internet? (Martin Ward)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 2 Jan 2020 23:31:13 +0100
    From: Debora Weber-Wulff <weberwu@HTW-Berlin.de>
    Subject: The Ghost of Y2K hits Hamburg (Hamburger Abendblatt)

    The city of Hamburg in Germany has 120 new DT5 trains - and 95 of
    them still won't work after the new decade has blown in. As soon as a
    train reaches the end of the line and has to reverse its direction (and
    the train driver must turn it off and walk to the other end to drive it
    back), it won't turn on again. At all.

    The Hamburger Abendblatt reports in that an informer told them that this is
    attributable to a date problem, with the year flipping from 19 to 20.

    Panne bei der Hochbahn in Hamburg: 95 neue DT5-U-Bahnen ausgefallen

    All the trains stopped dead in their tracks, so to say. They have
    managed to fix the software on 25 of them, but so many are missing
    they are having to run short trains in the hopes of even keeping
    up with the schedule.

    A bit later in the article an update is mentioned as being at fault, the
    rest of the article is politicians blathering on.

    Their troubles don't stop there: a passenger purchased a ticket on 1 Jan
    2020 that is not valid until 1.1.2040. Picture included.

    I can't quite imagine what exactly went wrong in both of these cases,
    but I'd sure like to find out. Any readers with more information?

    ------------------------------

    Date: Sat, 4 Jan 2020 02:34:42 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Software Glitch Affects 14,000 New York City Parking Meters (WSJ+)

    A software glitch has left 14,000 electronic parking meters across New York
    City unable to read credit cards since the start of the new year, city
    officials said Friday.

    The glitch involved an antifraud security setting in meters made by software
    provider Flowbird that disables card payments beyond Jan. 1, 2020, according
    to the city's Department of Transportation.

    Software Glitch Affects 14,000 New York City Parking Meters

    [Jan Wolitzky noted *The NYTimes item:
    Parking Meters Are Rejecting Credit Cards in Y2K-Type Glitch>
    while danny burstein seemed to have the correct analysis:
    ``Sounds like the "sliding calendar" kluge to get around the
    original Y2K problem, with a "if year = 0 to 19", etc.''
    PGN]

    ------------------------------

    Date: Thu, 2 Jan 2020 10:47:13 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Internet Is No Longer a Disruptive Technology (Bloomberg)

    The disruptive innovators of 10 years ago are today's stable incumbents

    Internet-enabled industry disruption defined business strategy in the 2010s,
    but as 2020 begins, that era appears to be winding down. The disruptors have
    largely become the new establishment, and unlike a decade ago, it doesn't
    look like the new leaders will be displaced any time soon. Today's
    Internet is a mature and mainstream technology.

    This was not the case a decade ago. In 2009, multiple industries were in the
    midst of upheaval thanks to Internet-enabled transformations. The iPhone was
    only two years old. In the music industry, compact discs still represented a
    plurality of revenues, and most of the rest came from digital purchases.
    Streaming, whether of music or on Netflix, was still in its infancy. We were
    in the middle of the transition from print ads to digital ones; 2009 was the
    last year the newspaper industry had higher ad revenues than Google, and the
    last year Facebook's revenues were less than $1 billion. E-commerce was
    growing, but Sears and Kmart were still large retail chains. YouTube was
    known mostly for a handful of viral videos (Susan Boyle, anyone?).

    Today, much has changed. The music industry has become the streaming
    industry, with compact discs and digital sales becoming less and less
    important; today's industry growth is powered by subscriptions. Beginning
    a few years ago, total revenues have started to grow again after 15 years of
    declines. The competitive threats to the leader in music streaming, Spotify,
    come from well-financed competitors with similar offerings, like Apple Music
    and Amazon Music, rather than a brand-new technology. The music industry may
    have been the first to be threatened by internet-related disruption in the
    late 1990s, with the growth of mp3 sharing and Napster, and is now perhaps
    the first industry to have completed its transformation.

    The advertising industry has been transformed by Google and Facebook. Early
    in the 2010s, there was a popular chart showing that online ad revenues
    represented a much smaller share of total ad revenues than internet use
    represented for total time spent consumer content. The reverse was true for
    print media and print ads. Today that gap has closed. Print and radio now
    account for just 15% of total ad spend.

    Perhaps no industry has been hurt more by the internet this decade than
    physical retail. E-commerce has continued to gain market share. Many
    retailers have gone bankrupt. Malls keep closing. Sears and Kmart have
    closed hundreds of stores, and their parent company flirts with bankruptcy.
    Yet we've also seen that Walmart, Target and Costco are more formidable
    competitors than the retailers that have disappeared, and all three have
    stock prices near all-time highs. Top-tier malls have reinvented themselves
    by adding restaurants, apartments and hotels. E-commerce is starting to have
    its share of growing pains due to high customer acquisition costs as online
    ad rates have soared, and some online firms are finding that building their
    own stores makes good business sense. The future of shopping is more complex
    than just e-commerce crushing brick-and-mortar stores. [...]

    The Internet Is No Longer a Disruptive Technology
    Bloomberg - Are you a robot?

    ------------------------------

    Date: Thu, 2 Jan 2020 10:48:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: 'Shattered' -- Inside the secret battle to save America's
    undercover spies in the digital age (WashPost)

    EXCERPT:

    When hackers began slipping into computer systems at the Office of Personnel
    Management in the spring of 2014, no one inside that federal agency could
    have predicted the potential scale and magnitude of the damage. Over the
    next six months, those hackers -- later identified as working for the
    Chinese government -- stole data on nearly 22 million former and current
    American civil servants, including intelligence officials.

    The data breach, which included fingerprints, personnel records and security
    clearance background information, shook the intelligence community to its
    core. Among the hacked information's other uses, Beijing had acquired a
    potential way to identify large numbers of undercover spies working for the
    U.S. government. The fallout from the hack was intense, with the CIA
    reportedly pulling its officers out of China.
    <https://www.washingtonpost.com/worl...78943c-66d1-11e5-9ef3-fde182507eac_story.html>
    (The director of national intelligence later denied this withdrawal.)
    <https://www.washingtonpost.com/worl...31aa4e-81a5-11e5-a7ca-6ab6ec20f839_story.html>

    Personal data was being weaponized like never before. In one previously
    unreported incident, around the time of the OPM hack, senior intelligence
    officials realized that the Kremlin was quickly able to identify new CIA
    officers in the U.S. Embassy in Moscow -- likely based on the differences in
    pay between diplomats, details on past service in *hardship* posts, speedy
    promotions and other digital clues, say four former intelligence officials.
    Those clues, they surmised, could have come from access to the OPM data,
    possibly shared by the Chinese, or some other way, say former officials.

    The OPM hack was a watershed moment, ushering in an era when big data and
    other digital tools may render methods of traditional human intelligence
    gathering extinct, say former officials. It is part of an evolution that
    poses one of the most significant challenges to undercover intelligence work
    in at least a half century -- and probably much longer. [...]
    'Shattered': Inside the secret battle to save America's undercover spies in the digital age

    ------------------------------

    Date: Wed, 1 Jan 2020 11:16:18 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: 737 MAX Crashes Strengthen Resolve of Boeing to Automate Flight
    (WSJ + NYT item)

    Boeing, Airbus and industry experts for long have planned more technology to
    prevent pilot error

    MAX Crashes Strengthen Resolve of Boeing to Automate Flight

    *The NYTimes* on 6 Jan 2020 notes that Boeing reported to the FAA in early
    January 2020 that they had discovered the cabling controlling the
    tail-plane stabilizers on the 737 Max had wires whose close proximity
    could result in a short, which could result in catastrophe. This appears
    to require only a minor fix, although it may also affect the the earlier
    737 MG aircraft as well. (However, it has not been a problem to date, so
    this will be a proactive fix.) PGN]

    ------------------------------

    Date: Fri, 03 Jan 2020 15:21:33 -0800
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Europe rejects patent applications signed with AI inventor
    (Charlie Osborne)

    Charlie Osborne for Between the Lines | 3 Jan 2020
    AI-generated ideas and concepts are at the center of a heated ownership debate.
    https://www.zdnet.com/article/europe-rejects-patent-applications-signed-with-ai-as-the-inventor/

    The European Patent Office (EPO) has rejected two patent applications in
    which artificial intelligence (AI) was designated as the inventor.

    Current rules dictate that humans must be attributed as inventors behind a
    patent application in order to prevent full corporate inventorship from
    becoming a recognized practice for ideas. Now, the idea of AI having a form
    of 'ownership' has clashed with this traditional stance.

    The team argues that "inventorship should not be restricted to natural
    persons," and "a machine that would meet inventorship criteria if it were a
    natural person should also qualify as an inventor."

    ------------------------------

    Date: Fri, 03 Jan 2020 15:46:57 -0800
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Amazon' Next-Day Delivery Has Brought Chaos And Carnage To
    America's Streets, But The World' Biggest Retailer Has A System To Escape
    The Blame (Michelle Thompson)

    Deaths and devastating injuries. A litany of labor violations. Drivers
    forced to urinate in their vans. Here is how Amazon's gigantic,
    decentralized, next-day delivery network brought chaos, exploitation, and
    danger to communities across America. (BuzzFeed News)

    opening text:

    Valdimar Gray was delivering packages for Amazon at the height of the
    pre-Christmas rush when his three-ton van barreled into an 84-year-old
    grandmother, crushing her diaphragm, shattering several ribs, and fracturing
    her skull.

    ``Oh my god!'' screamed Gray as he leaped out of his van. It was a bright,
    clear afternoon on Dec. 22, 2016, and the 29-year-old had been at the wheel
    of the white Nissan since early that morning, racing to drop Amazon packages
    on doorsteps throughout Chicago. He stood in anguish next to Telesfora
    Escamilla as she lay dying, her blood pooling on the pavement just three
    blocks from her home. After the police arrived, Gray submitted to drug and
    alcohol tests, which came up clean. He would later be charged with reckless
    homicide.

    [Sadly, not the only case.]

    ------------------------------

    Date: Fri, 03 Jan 2020 15:54:33 -0800
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Company shuts down because of ransomware, leaves 300 without jobs
    just before holidays (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 3 Jan 2020
    Company tells employees to seek new employment after suspending all
    operations right before Christmas.

    https://www.zdnet.com/article/compa...bs-just-before-holidays/phone-numbers-pad.jpg

    selected text:

    An Arkansas-based telemarketing firm sent home more than 300 employees and
    told them to find new jobs after IT recovery efforts didn't go according to
    plan following a ransomware incident that took place at the start of October
    2019.

    A former The Heritage Company employee told KATV that they've lost any faith
    the company is going to ever recover from the ransomware attack.

    "Most of us are convinced that they're not going to reopen. I'm pretty sure
    they're just buying time because they know as soon as they're not going to
    reopen we're going to have to get a settlement and I think they just don't
    want us to take them to court," the employee told KATV.

    What happened to The Heritage Company is not an isolated incident. Over the
    past two years, there have been many cases where smaller companies decided
    to shut down for good, lacking the funds to pay a ransom demand to get their
    data back or lacking the funds needed to rebuild their IT infrastructure.

    For example, in April 2019, doctors at a medical practice office in Michigan
    decided to shut down their business and retire one year ahead of schedule,
    rather than deal with the fallout from a ransomware infection.

    Similarly, a second medical office, based in Simi Valley, California,
    reached the same conclusion in September 2019, deciding to shut down all
    operations after they were infected with ransomware a month before and
    lacked the funds to pay the ransom.

    ------------------------------

    Date: January 5, 2020
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Fresh Cambridge Analytica leak 'shows global manipulation is out of
    control' (Carole Cadwalladr)

    Company's work in 68 countries laid bare with release of more than 100,000
    documents

    Jan 4 2020
    <https://www.theguardian.com/uk-news...lytica-data-leak-global-election-manipulation>

    An explosive leak of tens of thousands of documents from the defunct data
    firm Cambridge Analytica is set to expose the inner workings of the company
    that collapsed after the Observer revealed it had misappropriated 87 million
    Facebook profiles.

    More than 100,000 documents relating to work in 68 countries that will lay
    bare the global infrastructure of an operation used to manipulate voters on
    ``an industrial scale'' is set to be released over the next months.

    It comes as Christopher Steele, the ex-head of MI6's Russia desk and the
    intelligence expert behind the so-called *Steele dossier* into Trump's
    relationship with Russia, said that while the company had closed down, the
    failure to properly punish bad actors meant that the prospects for
    manipulation of the US election this year were even worse.

    The release of documents began on New Year's Day on an anonymous Twitter
    account, @HindsightFiles, with links to material on elections in Malaysia,
    Kenya and Brazil. The documents were revealed to have come from Brittany
    Kaiser, an ex-Cambridge Analytica employee turned whistleblower, and to be
    the same ones subpoeaned by Robert Mueller's investigation into Russian
    interference in the 2016 presidential election.

    Kaiser, who starred in the Oscar-shortlisted Netflix documentary The Great
    Hack, decided to go public after last month's election in Britain. ``It's so
    abundantly clear our electoral systems are wide open to abuse,'' she
    said. ``I'm very fearful about what is going to happen in the US election
    later this year, and I think one of the few ways of protecting ourselves is
    to get as much information out there as possible.''

    The documents were retrieved from her email accounts and hard drives, and
    though she handed over some material to parliament in April 2018, she said
    there were thousands and thousands more pages which showed a ``breadth and
    depth of the work'' that went ``way beyond what people think they know about
    =98the Cambridge Analytica scandal'''.

    Steele made a rare public intervention to comment on the leaks. He said that
    while he didn't know what was in them, the context couldn't be more
    important because ``on our current trajectory these problems are likely to
    get worse, not better, and with crucial 2020 elections in America and
    elsewhere approaching, this is a very scary prospect. Something radical
    needs to be done about it, and fast.''

    He said authorities in the west had failed to punish those practising social
    and other media manipulation, and ``the result will be that while CA may
    have been exposed and eventually shut down, other, even more sophisticated
    actors will have been emboldened to interfere in our elections and sow
    social divisions''.

    Kaiser said the Facebook data scandal was part of a much bigger global
    operation that worked with governments, intelligence agencies, commercial
    companies and political campaigns to manipulate and influence people, and
    that raised huge national security implications.

    The unpublished documents contain material that suggests the firm was
    working for a political party in Ukraine in 2017 even while under
    investigation as part of Mueller's inquiry and emails that Kaiser says
    described how the firm helped develop a ``sophisticated infrastructure of
    shell companies that were designed to funnel dark money into politics''.

    ``There are emails between these major Trump donors discussing ways of
    obscuring the source of their donations through a series of different
    financial vehicles. These documents expose the entire dark money machinery
    behind US politics.'' The same machinery, she says, was deployed in other
    countries that Cambridge Analytica worked in, including, she claims,
    Britain.

    Emma Briant, an academic at Bard College, New York, who specialises in investigating propaganda and has had access to some of the documents for research, said that what had been revealed was ``the tip of the iceberg''.

    ------------------------------

    Date: Sun, 5 Jan 2020 15:21:59 +0000
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: What happens if your mind lives forever on the Internet?
    (Rees and Shapir, RISKS-31.52)

    Re: Rees:

    The point of the Turing Test is to determine if a machine can think like a
    human being, *not* to attempt to fool people into believing that the machine
    is intelligent (when it actually is not). Cases where people were fooled
    into thinking that they were talking to a person, when they did not know
    that it was possible that they were talking to a machine, are therefore
    irrelevant.

    Re: Shapir:

    If the aim is to "fool people", then the the AI developers will be hardest,
    if not impossible, to fool (as you assert).

    If, however, the aim is to develop an intelligent machine, using the Turing
    Test as the best method of testing that we have devised so far, then the AI
    developers should be *easiest* to be convinced: they have programmed
    behaviour into the system which they believe is actual intelligent thinking,
    as similar as possible to real human thinking, so if the machine cannot
    convince them, then it is unlikely to convince anyone else! To convince the
    creators, the program would have to exhibit behaviour beyond any specific
    responses programmed into it: this is simply a basic requirement for any
    real AI.

    I suspect that Amos is correct in his opinion that "no AI program could ever
    fool the people who create it": but if he is correct, then the reason is
    that AI is impossible, not that the goal posts keep being moved. If the AI
    program cannot convince the people who created it then, a fortiori, it
    cannot convince the ordinary person, and it is not an intelligent machine.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.53
    ************************
     
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.54

    RISKS List Owner

    Feb 4, 2020 11:55 AM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 28 January 2020 Volume 31 : Issue 54

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [MASSIVE REJECTION OF RISKS-31.53. PICK UP at risks.org]
    Boeing 737s can't land facing west (FAA via Clive D.W. Feather)
    GPS jamming expected in southeast during military exercise (AOPA)
    Election Security At The Chip Level (SemiEngineering)
    Russians Hacked Ukrainian Gas Company at Center of Impeachment
    (Nicole Perlroth and Matthew Rosenberg)
    Scientists Deliver, Once Again, a Horrifying Report About
    How Hot Earth Is Getting (VICE)
    Ransomware attack forces cancer patients to re-schedule (CBC Web)
    An Avenue by Which It Might Be Technically Possible to Give an iPhone The
    Software Equivalent of Cancer (Pixel Envy)
    Please Stop Sending Terrifying Alerts to Our Cell Phones (WIRED)
    Update Firefox now, says Homeland Security, to block attacks (9to5mac)
    A field guide to Iran's hacking groups (Web Informant)
    Iran hackers have been password-spraying the U.S. electric grid (WiReD)
    Re: The shooting down of flight PS752 in Iran (Martyn Thomas)
    In a desperate bid to stay relevant in 2020's geopolitical upheaval,
    N. Korea upgrades its Apple Jeus macOS malware (The Register)
    Inside Documents Show How Amazon Chose Speed Over Safety in Building Its
    Delivery Network (ProPublica)
    Feds Are Content to Let Cars Drive, and Regulate, Themselves (WIRED)
    Should Automakers Be Responsible for Accidents? (Gabe Goldberg)
    Paul Krugman's no-good, very bad Internet day (Ars Techica)
    Hackers Cripple Airport Currency Exchanges, Seeking $6 Million Ransom
    (NYTimes)
    Hacker offers for sale 49M user records from US data broker LimeLeads
    (Security Affairs)
    Over two dozen encryption experts call on India to rethink changes
    to its intermediary liability rules (Tech Crunch)
    Chosen-Prefix attack against SHA-1 Reported (Ars Technica)
    Patch Tuesday, January 2020 (Rapid7)
    Facebook Says Encrypting Messenger by Default Will Take Years (WiReD)
    China's new Cryptolaw (Cointelegraph)
    Some consumers have noticed that computerization isn't always the answer
    (Star Tribune)
    At Mayo Clinic AI engineers face an acid test: Will their algorithms help
    real patients? (StatNews)
    AI Comes to the Operating Room (The New York Times)
    A Very Real Potential for Abuse: Using AI to Score Video Interviews (CNN)
    5G, AI, blockchain, quantum, ... (Marketoonist)
    Inside the Billion-Dollar Battle Over .Org (Steve Lohr)
    A lazy fix 20 years ago means the Y2K bug is taking down computers now
    (New Scientist)
    When 2 < 7 => failure (Ars Technica via Jeremy Epstein)
    Make It Your New Year's Resolution Not to Share Misinformation
    (Mother Jones)
    Inside the Feds' Battle Against Huawei (WiReD)
    Apple Is Bullying a Security Company with a Dangerous DMCA Lawsuit (iFixit)
    How to Protect Yourself From Real Estate Scams (NYTimes)
    Dutch Artists Celebrate George Orwell's Birthday By Putting Party Hats On
    Surveillance Cameras (BuzzFeed News)
    Re: reliability of computers (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 10 Jan 2020 20:24:07 +0000
    From: "Clive D.W. Feather" <cl...@davros.org>
    Subject: Boeing 737s can't land facing west (FAA)

    "The FAA received reports earlier this year of three incidents of display
    electronic unit (DEU) software errors on Model 737 NG airplanes flying into
    runway PABR in Barrow, Alaska. All six display units (DUs) blanked with a
    selected instrument approach to a runway with a 270-degree true heading, and
    all six DUs stayed blank until a different runway was selected. [...] The
    investigation revealed that the problem occurs when this combination of
    software is installed and a susceptible runway with a 270-degree true
    heading is selected for instrument approach. Not all runways with a
    270-degree true heading are susceptible; only seven runways worldwide, as
    identified in this AD, have latitude and longitude values that cause the
    blanking behavior."

    (Note that this is all 6 displays on each plane, not 2 displays on each of
    three planes.)

    The runways in question are:

    Runway 26, Pine Bluffs, Wyoming, USA (82V)
    Runway 28, Wayne County, Ohio, USA (KBJJ)
    Runway 28, Chippewa County, Michigan, USA (KCIU)
    Runway 26, Cavern City, New Mexico, USA (KCNM)
    Runway 25, Barrow, Alaska, USA (PABR)
    Runway 28, La Mina, La Guajira, Colombia (SKLM)
    Runway 29, Cheddi Jagan, Georgetown, Guyana (SYCJ)

    (The numbers are magnetic bearings, whereas the problem is apparently
    related to true bearing.)

    Original FAA notice:
    <http://rgl.faa.gov/Regulatory_and_G...978cc27b862584dd005c1a60/$FILE/2019-25-17.pdf>

    [Clive, Can you think of the significance of 270? Perhaps an instance of
    Buridan's Ass algorithm, in this case being halfway between 180 and 360,
    and not being able to decide? PGN]

    [I have no idea. Also, why don't all runways facing 270 have the
    problem? I suspect we'll never find out. Clive]

    [Li Gong noted
    Blackout Bug: Boeing 737 cockpit screens go blank if pilots land on
    specific runways (The Register)
    Blackout Bug: Boeing 737 cockpit screens go blank if pilots land on specific runways
    PGN]

    ------------------------------

    Date: Fri, 17 Jan 2020 07:30:56 -0800
    From: Paul Saffo <pa...@saffo.com>
    Subject: GPS jamming expected in southeast during military exercise (AOPA)

    Dan Namowitz, AOPA, 14 Jan 2020

    GPS reception may be unavailable or unreliable over a large portion of the
    southeastern states and the Caribbean during offshore military exercises
    scheduled between January 16 and 24.
    aopa.org/news-and-media/all-news/2020/january/14/gps-jamming-expected-in-southeast-during-military-exercise

    Graphic depicting area of GPS interference testing. Courtesy of the FAA.
    The FAA has posted a flight advisory for the exercises that will require
    jamming of GPS signals for periods of several hours each day of the
    event. Navigation guidance, ADS-B, and other services associated with GPS
    could be affected for up to 400 nautical miles at Flight Level 400, down to
    a radius of 180 nm at 50 feet above the ground.

    The flight advisory encourages pilots to report any GPS anomalies they
    encounter. Reports may be submitted using this online form.

    AOPA reported on a similar event in the southeastern United States in 2019.

    AOPA is aware of hundreds of reports of interference to aircraft during
    events around the country for which notices to airmen were issued, and we
    consider the risks to GA aircraft highly concerning.

    In one example, an aircraft lost navigation capability and did not regain it
    until after landing. Other reports have highlighted aircraft veering off
    course and heading toward active military airspace -- and the wide range of
    reports makes it clear that interference affects aircraft differently. In
    some cases, recovery from signal interference may not occur until well after
    the aircraft exits the jammed area.

    In a January 2019 AOPA survey, more than 64 percent of 1,239 pilots who
    responded noted concern about the impact of interference on their use of GPS
    and ADS-B.

    AOPA continues to advocate for officials to place more focus on efforts
    to address the well-documented safety concerns raised by such events.

    ------------------------------

    Date: Wed, 15 Jan 2020 00:40:24 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Election Security At The Chip Level (SemiEngineering)

    Election Security At The Chip Level

    ------------------------------

    Date: Wed, 15 Jan 2020 15:11:02 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Russians Hacked Ukrainian Gas Company at Center of Impeachment
    (Nicole Perlroth and Matthew Rosenberg)

    Nicole Perlroth and Matthew Rosenberg, *The New York Times* 13 Jan 2020,
    updated in the online version 15 Jan 2020
    Russians Hacked Ukrainian Gas Company at Center of Impeachment

    Offices in Kyiv of a subsidiary of the Ukrainian energy company
    Burisma. Security experts suggest the hackers may have been looking for
    damaging information on Joe Biden.

    With President Trump facing an impeachment trial over his efforts to
    pressure Ukraine to investigate former Vice President Joseph R. Biden Jr.
    and his son Hunter Biden, Russian military hackers have been boring into the
    Ukrainian gas company at the center of the affair, according to security
    experts.

    The hacking attempts against Burisma, the Ukrainian gas company on whose
    board Hunter Biden served, began in early November, as talk of the Bidens,
    Ukraine and impeachment was dominating the news in the United States.

    It is not yet clear what the hackers found, or precisely what they were
    searching for. But the experts say the timing and scale of the attacks
    suggest that the Russians could be searching for potentially embarrassing
    material on the Bidens - the same kind of information that Mr. Trump wanted
    from Ukraine when he pressed for an investigation of the Bidens and Burisma,
    setting off a chain of events that led to his impeachment.

    The Russian tactics are strikingly similar to what American intelligence
    agencies say was Russia's hacking of emails from Hillary Clinton's campaign
    chairman and the Democratic National Committee during the 2016 presidential
    campaign. In that case, once they had the emails, the Russians used trolls
    to spread and spin the material, and built an echo chamber to widen its
    effect.

    ------------------------------

    Date: Thu, 16 Jan 2020 14:20:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Scientists Deliver, Once Again, a Horrifying Report About
    How Hot Earth Is Getting (VICE)

    ``These are big numbers for our planet,'' one NASA scientist told VICE News

    EXCERPT:

    In 2019, parts of the planet were hotter than they've ever been before,
    according to NASA and NOAA's annual temperature report. And scientists are
    warning the world won't be able to reverse the damage.

    For the first time ever, the average temperature in Alaska was above
    freezing. And Australia, at more than 1.5 degrees Celsius above normal, was
    as hot as the UN hopes the world will ever get.

    As a whole, 2019 was the second hottest year on record, according to the
    report, published by government scientists on Wednesday. That caps off the
    hottest decade in recorded history. The last half of the decade was also
    one for the record books: All five years, together, were the hottest on
    record. The cause, the scientists say, is clearly human-emitted greenhouse
    gases.

    ``The last ice age, where we had ice covering North America and most of
    Europe was only five degrees [Celsius] colder than the pre-industrial
    planet,'' Gavin Schmidt, director of NASA's Goddard Institute for Space
    Studies, told VICE News.

    ``We've warmed up a fifth of that,'' he added. ``These are big numbers for our
    planet.''

    In addition to Alaska and Australia, Poland and other parts of eastern
    Europe also broke temperature records, as did Madagascar, New Zealand,
    parts of Southern Africa, and eastern South America. And on top of the high
    temperatures, glaciers are melting at record rates
    <Greenland's ice is melting at the rate scientists thought would be our worst-case scenario in 2070>
    in
    Greenland. Hurricanes and typhoons are becoming more intense. And wildfires
    are getting bigger and more frequent.

    The planet' has already warmed a full degree Celsius above pre-industrial
    levels -- and scientists say there's likely no turning back. Just because
    the planet wasn't *quite* as warm in 2019 as it was in 2016 that shouldn't
    not be misinterpreted as climate change turning around.

    ``This whole, `Oh, we've been cooling since 2016' point -- that's just
    bullshit,'' Schmidt said...

    [...]
    Scientists Deliver, Once Again, a Horrifying Report About How Hot Earth Is Getting

    ------------------------------

    Date: Thu, 16 Jan 2020 14:36:55 -0800
    From: "David E. Ross" <da...@rossde.com>
    Subject: Ransomware attack forces cancer patients to re-schedule (CBC Web)

    eHealth is the provincial health authority in Saskatchewan, Canada. Note
    that they have a backup plan for such situations. The attack began 6
    January. Treatments for affected patients were delayed 24 to 48 hours. By
    14 January, the effects of the attack were apparently resolved.

    The news article on the Canadian Broadcasting Company Web site had the
    headline:

    Ransomware attack on eHealth forces 31 cancer patients to re-schedule
    radiation treatment

    The article read:

    Six patients booked for chemotherapy also affected.

    A ransomware attack on the computer system that stores confidential medical
    data for Saskatchewan residents ended up affecting almost 40 patients
    getting cancer treatment in Saskatoon and Regina.

    The attack on eHealth Saskatchewan began Jan. 6. Antivirus software
    immediately began sending alerts to staff.

    When eHealth officials attempted to open files on affected servers they
    received a message that the files had been encrypted and would remain
    inaccessible until a payment was made.

    The Saskatchewan Cancer Agency oversees the two cancer clinics in Saskatoon
    and Regina. It disconnected from the eHealth network after learning of the
    assault on the system.

    While the move served to protect patient data, it also meant that staff
    could not immediately access provincial lab results, imaging pathology and
    pharmacy and medical information.

    eHealth hit by ransomware attack but personal health data is secure, says
    CEO.

    The clinics have contingency plans for when the electronic records are not
    accessible but it took time to co-ordinate retrieving the information.

    As a result, 31 patients booked for radiation and another six with
    chemotherapy appointments had their treatment delayed by between 24 and 48
    hours.

    Each patient was given a personal explanation and apology for the delay and
    inconvenience, officials with Saskatchewan Cancer Agency said in an emailed
    statement.

    The agency fully reconnected with the eHealth network on Jan. 14.

    ------------------------------

    Date: Thu, 16 Jan 2020 18:23:10 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: An Avenue by Which It Might Be Technically Possible to Give an
    iPhone The Software Equivalent of Cancer (Pixel Envy)

    An Avenue by Which It Might Be Technically Possible to Give an iPhone ‘The Software Equivalent of Cancer’

    ------------------------------

    Date: Tue, 7 Jan 2020 20:04:15 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Please Stop Sending Terrifying Alerts to Our Cell Phones (WIRED)

    Please Stop Sending Terrifying Alerts to My Cell Phone

    ------------------------------

    Date: Fri, 10 Jan 2020 11:30:15 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Update Firefox now, says Homeland Security, to block attacks
    (9to5mac)

    https://ww.9to5mac.com/2020/01/10/update-firefox-now/

    ------------------------------

    Date: Fri, 17 Jan 2020 09:54:15 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A field guide to Iran's hacking groups (Web Informant)

    A field guide to Iran’s hacking groups

    ------------------------------

    Date: Fri, 10 Jan 2020 20:50:38 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Iran hackers have been password-spraying the U.S. electric grid
    (WiReD)

    A state-sponsored group called Magnallium has been probing American electric
    utilities for the past year.
    Iranian Hackers Have Been ‘Password-Spraying’ the US Grid

    ------------------------------

    Date: Mon, 13 Jan 2020 10:10:55 PST
    From: Martyn Thomas <mar...@thomas-associates.co.uk>
    Subject: Re: The shooting down of flight PS752 in Iran

    It seems to me that commercial aircraft shouldn't fly within range of
    anti-aircraft systems at a time of high military alert, because human
    error or computer system error is too likely. If that wasn't obvious
    before the USS Vincennes shot down Iran Air 655 in 1988, it should have
    become obvious immediately afterwards. Iran Air 655 has been regarded in
    the literature as a "Normal Accident", using Chick Perrow's terminology.

    Air defence systems are major intelligence targets, so several states with
    significant cyber capability will have been trying to compromise the Iranian
    system over an extended period. It would surprise me if they had all
    completely failed. This heightens the probability that an aircraft may be
    misidentified.

    If an air defence system identifies (or appears to identify) a radar
    contact as something that will strike fatally within a small number of
    seconds, the missile defences will be fired, whether there is a human in
    the loop or not.

    I find it impossible to allocate blame.

    [As we have said so often in RISKS, blame can often be remarkably widely
    distributed. Here are subsequent reports of the Iranian revolutionary
    guards air-defense comms being jammed, and other issues relating to this
    shootdown. See the NYTimes article "Anatomy of a Lie", on how the events
    around the shootdown unfolded:
    Anatomy of a Lie: How Iran Covered Up the Downing of an Airliner

    This item came in recently, although RISKS-31.54 was ready to be sent
    weeks ago. We are still resolving internal mailer problems that massively
    rejected delivery of RISKS-31.53 to many readers. It appears to be Office
    365 problem or a side-effect of SRI's installation of proofpoint to block
    executable attachments. Let's see if this issue gets through.

    PLEASE submit RISKS items for consideration as ASCII text to RISKS without
    attachments to facilitate my efforts. Office 365 is now introducing
    several hundred lines of headers, which makes things even worse. PGN]

    WARNING: I've had a slew of mailman messages dropping readers's
    subscriptions. If you did not get this message via the normal mailing,
    you need to resubscribe. SORRY. I have no control over this. PGN

    ------------------------------

    Date: Thu, 9 Jan 2020 11:56:01 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: In a desperate bid to stay relevant in 2020's geopolitical
    upheaval, N. Korea upgrades its Apple Jeus macOS malware (The Register)

    In a desperate bid to stay relevant in 2020's geopolitical upheaval, N. Korea upgrades its Apple Jeus macOS malware

    ------------------------------

    Date: Wed, 8 Jan 2020 23:45:24 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Inside Documents Show How Amazon Chose Speed Over Safety in
    Building Its Delivery Network (ProPublica)

    https://www.propublica.org/article/...-over-safety-in-building-its-delivery-network

    ...but we all want our stuff right now...

    ------------------------------

    Date: Sat, 11 Jan 2020 17:29:06 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Feds Are Content to Let Cars Drive, and Regulate, Themselves (WIRED)

    A new Transportation Department policy on self-driving cars is long on
    boosting the industry and short on ensuring its safety.

    Not all road safety advocates are pleased with that approach. “The DOT is
    supposed to ensure that the US has the safest transportation system in the
    world, but it continues to put this mission second, behind helping industry
    rush automated vehicles,” Ethan Douglas, a senior policy analyst for cars
    and product safety at Consumer Reports, said in a statement.

    https://www.wired.com/story/feds-content-cars-drive-regulate-themselves/

    ------------------------------

    Date: Fri, 17 Jan 2020 10:29:53 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Should Automakers Be Responsible for Accidents?

    What a strange scheme:

    Automaker enterprise liability would have useful incentives that driver
    liability law misses.

    My basic argument is that while current negligence-based auto liability
    rules could in theory work to provide optimal accident-avoidance incentives,
    in practice they do not. The current system requires courts and drivers to
    evaluate benefit–cost tradeoffs they are not equipped to make. Also under
    the current system, much of auto-accident costs are offloaded onto medical
    and disability insurers or taxpayers. By contrast, under an automaker
    enterprise liability system, responsibility for those costs would be placed
    on the parties in the best position to reduce and insure them: vehicle
    manufacturers. In addition, automakers would be induced to charge enough for
    cars to fully internalize the costs of automobile accidents. Further, if
    auto-insurance contracts—and auto-insurance premium adjustments—could be
    deployed to improve driving habits, auto manufacturers would be induced to
    coordinate with auto insurers to achieve these deterrence gains. Moreover,
    to the extent that Level 5s reduce the cost of accidents, they would be
    cheaper to purchase than conventional vehicles, which would provide a
    natural subsidy to encourage (and potentially accelerate) their deployment.

    https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf

    ------------------------------

    Date: Fri, 10 Jan 2020 12:29:04 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Paul Krugman's no-good, very bad Internet day (Ars Techica)

    https://arstechnica.com/information-technology/2020/01/paul-krugmans-no-good-very-bad-internet-day/

    ------------------------------

    Date: Thu, 9 Jan 2020 23:07:32 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hackers Cripple Airport Currency Exchanges, Seeking $6 Million
    Ransom (NYTimes)

    https://www.nytimes.com/2020/01/09/business/travelex-hack-ransomware.html

    ------------------------------

    Date: Thu, 16 Jan 2020 14:34:46 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hacker offers for sale 49M user records from US data broker
    LimeLeads (Security Affairs)

    https://securityaffairs.co/wordpress/96432/data-breach/limeleads-data-leak.html

    ------------------------------

    Date: Fri, 10 Jan 2020 12:17:45 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Over two dozen encryption experts call on India to rethink changes
    to its intermediary liability rules (Tech Crunch)

    https://techcrunch.com/2020/01/09/o...-changes-to-its-intermediary-liability-rules/

    ------------------------------

    Date: Tue, 07 Jan 2020 13:12:37 -0700
    From: "Bob Gezelter" <geze...@rlgsc.com>
    Subject: Chosen-Prefix attack against SHA-1 Reported (Ars Technica)

    As reported in Ars Technica, a team of researchers recently presented a
    paper reporting a successful chosen-prefix attack against SHA-1. This has
    implications for OpenSSL, PGP, Git, and other components and processes that
    rely on the use of SHA-1 message digests for proving authenticity.

    The full article can be found at:
    https://arstechnica.com/information...and-much-more-threatened-by-new-sha1-exploit/

    The underlying paper is at: https://eprint.iacr.org/2020/014.pdf

    ------------------------------

    Date: Wed, 15 Jan 2020 23:48:50 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 2020 first Patch Tuesday: Windows' ECC certificates (Rapid7)

    The first Patch Tuesday of 2020 has been hotly anticipated due to a rumour
    that Microsoft would be fixing a severe vulnerability in a fundamental
    cryptographic library. It turns out that the issue in question is indeed
    serious, and was reported to Microsoft by the NSA: CVE-2020-0601 is a flaw
    in the way Windows validates Elliptic Curve Cryptography (ECC)
    certificates. It allows attackers to spoof a code-signing certificate that
    could be used to sign a malicious executable, which would look totally
    legitimate to the end user. It also enables attackers to conduct
    man-in-the-middle attacks and decrypt confidential information on user
    connections to affected systems. This vulnerability exists in Windows 10,
    Server 2016, and Server 2019. These systems need to be patched immediately,
    as correct certificate validation is vital for determining trust.

    https://blog.rapid7.com/2020/01/14/patch-tuesday-january-2020/

    [Steven Cheung noted this (WSJ)

    "The flaw at issue involves a mistake in how Microsoft uses digital
    signatures to verify software as authentic, which helps block malware
    from being deployed on a computer. The error would potentially enable
    hackers to install powerful malware on systems undetected."]
    https://www.wsj.com/articles/micros...vere-windows-flaw-detected-by-nsa-11579030780

    ------------------------------

    Date: Sun, 12 Jan 2020 16:19:24 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facebook Says Encrypting Messenger by Default Will Take Years
    (WiReD)

    Mark Zuckerberg promised default end-to-end encryption throughout Facebook's
    platforms. Nearly a year later, Messenger's not even close.

    https://www.wired.com/story/facebook-messenger-end-to-end-encryption-default/

    No rush...

    ------------------------------

    Date: Mon, 13 Jan 2020 10:26:01 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: China's new Cryptolaw (Cointelegraph)

    cointelegraph.com/news/china-prepares-for-cbdc-with-cryptography-law-on-encryption-standards

    On 1 Jan 2020, China's law governing cryptographic password management came
    into power. Essentially, the act aims to set standards for the application
    of cryptography and the management of passwords, and, therefore, ultimately
    reduces China's cyber vulnerabilities on a nationwide scale. Some local
    media outlets rumor that the law is paving the way for the long-awaited
    release of China's central bank digital currency, although it does not make
    any explicit references in that regard. Meanwhile, the private sector is
    worried about the anonymity of its data. [...]

    ------------------------------

    Date: Fri, 10 Jan 2020 10:30:34 -0500
    From: s...@eskimo.com (Steve Summit)
    Subject: Some consumers have noticed that computerization isn't always the
    answer (Star Tribune)

    Not the usual sort of risk, but here's a nice article on the premium placed
    by savvy farmers on tractors built before 1980 or so, in significant part
    because they're *not* computerized and can therefore be maintained by
    anyone.

    http://www.startribune.com/for-tech...r-old-tractors-now-a-hot-commodity/566737082/

    ------------------------------

    Date: Sun, 12 Jan 2020 12:22:00 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: At Mayo Clinic AI engineers face an acid test: Will their
    algorithms help real patients? (StatNews)

    https://www.statnews.com/2019/12/18/mayo-clinic-artificial-intelligence-acid-test/

    A sobering peak at AI's potential role in medicine at the front line, with
    patient data-in-the-loop, applied to ferret out atrial fibrillation (a-fib)
    precursors using a convolution neural network -- the same algorithm applied
    by driverless vehicles to recognize traffic signs and road obstacles, etc.

    "The largest share of the data is derived from electrocardiograms (EKGs), a
    century-old technology that is commonly used to evaluate heart function by
    recording electrical pulses that cause the heart to beat. About 250,000
    EKGs are performed every year at Mayo, which has a digital dataset of 7
    million records stretching back to the mid-1990s.

    "EKGs have been able to detect a-fib for decades, but Mayo is seeking to
    take it a step further — by trying to predict which patients will experience
    this arrhythmia in the future." [...]

    "In a study published in August, Mayo reported the algorithm was able to
    accurately identify patients with a-fib at an 80-percent accuracy rate. On
    a recent afternoon, its power was displayed in the case of a patient who had
    undergone EKGs over a 30-year period but had never been diagnosed with
    a-fib. Inside a conference room, a group of engineers and cardiologists
    scanned the peaks and valleys of the data projected on a screen for any sign
    of an abnormality.

    "Dr. Samuel Asirvatham, an electrophysiologist who reads EKGs as
    automatically as most people drive a flat stretch of interstate, jumped up
    from his chair to take a closer look. He flipped forward in the series of
    EKGs and then back, but nothing seemed to call out a certainty of atrial
    fibrillation. However, the AI system, when it was shown the same data,
    detected a hidden pattern pinpointing two occasions when the patient’s risk
    of atrial fibrillation had increased dramatically.

    "As it turned out, both of those EKGs preceded cryptogenic strokes, or
    strokes of unknown cause, that, in hindsight, may have been caused by the
    a-fib."

    Focusing on patient outcome improvement potential is a key performance
    indicator for effective medical care delivery. That the article does not
    mention false-negative/positive and
    area-under-curve/receiver-operating-characteristics (AUCROC) suggests some
    undisclosed algorithmic sensitivity derived from the MAYO dataset -- though
    it embodies a sizable patient sample history.

    As described by the essay, the data used is selective and filtered --
    presented as evidence of merit for premonitory a-fib detection where none is
    currently visible in a given cardiogram -- normal sinus rhythm
    presented. That a physician skilled in the art can recognize 'cryptogenic
    stroke' indicators based on prior cardiogram reading, as can the machine,
    suggests equivalent detection capability when both are given a sufficiently
    rich dataset.

    Interpreting an isolated electro-cardiogram to predict a-fib occurrence
    or recurrence risks, independent of patient history, is quack medicine.

    Cardiac electrophysiologists often assess a-fib risks using patient factors
    that antagonize: high blood pressure, obstructive sleep apnea, obesity, high
    cholesterol, sedentary life style, prior a-fib events, etc. Typically, the
    CHADS2 score
    (https://www.mdcalc.com/chads2-score-atrial-fibrillation-stroke-risk)
    encapsulates these factors to estimate stroke risk.

    Perhaps the motive to justify proactive a-fib prediction is to suppress or
    optimize future medical care expenditures. ~1% of the US population (~3
    million people) are diagnosed with a-fib each year.

    How many patients will be falsely diagnosed or misdiagnosed by "The Stroke
    Predictor Model 9000"? What costs (and potential hardships) will be incurred
    by patients, physicians, and medical system who rely on AI-enhanced
    incidents? Will these adverse incidents diminish or increase in frequency?
    Where's the double-blind study to certify and justify adoption of this
    device into cardiac care protocol?

    Risk: AI-based cardiogram signal processing and interpretation.

    ------------------------------

    Date: Wed, 8 Jan 2020 12:14:15 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: AI Comes to the Operating Room (The New York Times)

    https://www.nytimes.com/2020/01/06/health/artificial-intelligence-brain-cancer.html

    "Images made by lasers and read by computers can help speed up the diagnosis
    of brain tumors during surgery."

    A 'frozen section' analysis of brain tissue only requires ~2 minutes given
    the candidate technique. In the old days, 30+ minutes elapsed while the
    patient waited under anesthesia for a carbon-based pathology assessment.

    Speed is important, too: less time on the operating room table, and a "quick
    second opinion," albeit by 'deep learning' trained-machine to recognize
    tumors in the flesh. MRIs apparently don't always yield a conclusive pre-op
    diagnosis. Hence the need for biopsy supplement.

    "The study involved brain tissue from 278 patients, analyzed while the
    surgery was still going on. Each sample was split, with half going to AI and
    half to a neuropathologist. The diagnoses were later judged right or wrong
    based on whether they agreed with the findings of lengthier and more
    extensive tests performed after the surgery.

    "The result was a draw: humans, 93.9 percent correct; AI, 94.6 percent."
    'Correct'? No false-positive or false-negative AUC ROC measures?

    You should your physician -- they swear by the Hippocratic Oath. Trust the
    physician's tool supply chain? Not so fast.

    ------------------------------

    Date: Thu, 16 Jan 2020 04:01:34 -0700
    From: "Bob Gezelter" <geze...@rlgsc.com>
    Subject: A Very Real Potential for Abuse: Using AI to Score Video Interviews
    (CNN)

    CNN has published an article on an interesting trend: the use of AI
    evaluations of candidate video interviews during the selection process for
    internships and jobs.

    As in other cases with AI-based evaluation of imagery, the potential for
    baked-in bias is clear. Without extensive study, is there a way to validate
    that such mechanisms are free of explicit or implicit bias concerning race,
    culture, and other factors. As an example, the subject of "word choice". In
    some cultures, directness is valued, in other cultures, precisely the
    opposite is true. It would be far too simple for a bot to downgrade a
    candidate for "lack of directness" when their cultural background values
    it. Would that not be effective discrimination on race, national origin, or
    other prohibited or suspect factor.

    A thought experiment: Consider scoring the statement "The patient has a
    tumor" with the all-but-required phrasing used by a radiologist "The
    patient's imagery is consistent with the presence of a tumor". Is one of
    these options "evasive"?

    One could argue that it is a matter of what questions are asked, but that
    presupposes a degree of sophistication which is likely not present in
    practice.

    https://www.cnn.com/2020/01/15/tech/ai-job-interview/index.html

    ------------------------------

    Date: Mon, 13 Jan 2020 13:19:47 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 5G, AI, blockchain, quantum, ... (Marketoonist)

    Smart Devices and 5G cartoon | Marketoonist | Tom Fishburne

    With the imminent arrival of 5G, there’s a lot of euphoric talk about about
    the future of connected devices, which is leading to a fair amount of
    technology-for-technology-sake. And there are many funny and no-so-funny
    bumps in the road.

    On the funny end of the spectrum, GE was mocked
    <https://www.marketwatch.com/story/t...-lightbulb-has-suddenly-gone-viral-2019-06-20>
    a few months ago for releasing a guide to reset their Smart Lightbulb. It
    requires 14 complicated steps of turning it off and on at exact second
    counts with a stopwatch (“turn off for two seconds … turn on for eight
    seconds”). Stephen Fry remarked
    <https://www.marketwatch.com/story/t...-lightbulb-has-suddenly-gone-viral-2019-06-20>,
    “This is insane enough to be joyous.”

    On the not-so-funny end of the spectrum, smart-device maker Wyze announced
    <https://www.marketwatch.com/story/s...-breach-that-could-affect-millions-2019-12-29>
    two weeks ago that both of the company’s production databases were left
    entirely open to the Internet, exposing the data of 2.4 million users of
    their smart-home cameras and devices.

    These are all reflections of the awkward adolescent stage of technology
    we’re living and working in. We have to continually question just how
    “smart” all of this “smart” technology really is.

    https://marketoonist.com/2020/01/smart.html

    ------------------------------

    Date: January 8, 2020 8:14:28 JST
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: Inside the Billion-Dollar Battle Over .Org (Steve Lohr)

    [via Dave Farber]

    Steve Lohr, *The New York Times*, 7 Jan 2020

    A private equity firm wants to buy the Internet domain used by nonprofits. A
    group of online pioneers says it is not the place to maximize profits.

    Two months ago, Ethos Capital, a private equity firm, announced that it
    planned to buy the rights to a tract of Internet real estate for more than
    $1 billion. But it wasn't just any piece of digital property. It was
    dot-org, the cyber neighborhood that is home to big nonprofits and
    nongovernmental organizations like the United Nations (un.org) and NPR
    (npr.org), and to li ttle ones like neighborhood clubs.

    The deal was met with a fierce backlash. Critics argued that a less
    commercial corner of the Internet should not be controlled by a
    profit-driven private equity firm, as a matter of both principle and
    practice. Online petitions and letters of concern came from hundreds of
    organizations, thousands of individuals and four Democrats in Congress,
    including Senator Elizabeth Warren of Massachusetts.

    Rarely has the acronym-strewn realm of Internet addresses -- so-called
    domain names -- stirred such passion.

    Now, a group of respected Internet pioneers and nonprofit leaders is
    offering an alternative to Ethos Capital's bid: a nonprofit cooperative
    corporation. The incorporation papers for the new entity, the Cooperative
    Corporation of .ORG Registrants, were filed this week in California.
    [...] [PGN-ed, longish item, truncated]

    https://www.nytimes.com/2020/01/07/...te-equity-battle.html?emc=3Drss&partner=3Drss

    ------------------------------

    Date: Thu, 9 Jan 2020 21:03:39 -0800
    From: Paul Saffo <pa...@saffo.com>
    Subject: A lazy fix 20 years ago means the Y2K bug is taking down computers
    now (New Scientist)

    [Re: Martyn Thomas, This might be a genuine Y2K problem -- are there more?
    RISKS-31.50]

    Chris Stokel-Walker, *New Scientist*, 7 Jan 2020
    https://www.newscientist.com/articl...ans-the-y2k-bug-is-taking-down-computers-now/

    [PGN-ed to avoid duplication with RISKS-31.50 and 53.]

    [...] Programmers wanting to avoid the Y2K bug had two broad options:
    entirely rewrite their code, or adopt a quick fix called ``windowing'',
    which would treat all dates from 00 to 20, as from the 2000s, rather than
    the 1900s. An estimated 80 per cent of computers fixed in 1999 used the
    quicker, cheaper option.

    ``Windowing, even during Y2K, was the worst of all possible solutions
    because it kicked the problem down the road,'' says Dylan Mulvin at the
    London School of Economics.

    Coders chose 1920 to 2020 as the standard window because of the significance
    of the midpoint, 1970. ``Many programming languages and systems handle
    dates and times as seconds from 1970/01/01, also called Unix time,'' says
    Tatsuhiko Miyagawa, an engineer at cloud platform provider Fastly.

    Unix is a widely used operating system in a variety of industries, and this
    v``epoch time'' is seen as a standard.

    The theory was that these windowed systems would be outmoded by the time
    2020 arrived, but many are still hanging on and in some cases the issue had
    been forgotten.

    ``Fixing bugs in old legacy systems is a nightmare: it's spaghetti and
    nobody who wrote it is still around,'' says Paul Lomax, who handled the Y2K
    bug for Vodafone. ``Clearly they assumed their systems would be long out of
    use by 2020. Much as those in the 60s didn't think their code would still be
    around in the year 2000.''

    Those systems that used the quick fix have now reached the end of that
    window, and have rolled back to 1920. Utility company bills have reportedly
    been produced with the erroneous date 1920, while tens of thousands of
    parking meters in New York City have declined credit card transactions
    because of the date glitch.

    Thousands of cash registers manufactured by Polish firm Novitus have been
    unable to print receipts due to a glitch in the register's clock. The
    company is attempting to fix the machines.

    WWE 2K20, a professional wrestling video game, also stopped working at
    midnight on 1 January 2020. Within 24 hours, the game's developers, 2K,
    issued a downloadable fix.

    Another piece of software, Splunk, which ironically looks for errors in
    computer systems, was found to be vulnerable to the Y2020 bug in
    November. The company rolled out a fix to users the same week -- which
    include 92 of the Fortune 100, the top 100 companies in the US.

    Some hardware and software glitches have been incorrectly attributed to the
    bug. One healthcare professional claimed Y2020 hit a system developed by
    McKesson, which produces software for hospitals. A spokesperson for McKesson
    told New Scientist the firm was unaware of any outage tied to Y2020.

    Exactly how long these Y2020 fixes will last is unknown, as companies
    haven't disclosed details about them. If the window has simply been pushed
    back again, we can expect to see the same error crop up.

    Another date storage problem also faces us in the year 2038. The issue again
    stems from Unix's epoch time: the data is stored as a 32-bit integer, which
    will run out of capacity at 3.14 am on 19 January 2038.

    [In response to a request from Eric Hofnagel, I pulled together a historical
    list of Y2K-related problems. It is now on my website
    http://www.csl.sri.com/neumann/neumann.html at
    http://www.csl.sri.com/neumann/y2k-pgn.txt
    PGN]

    ------------------------------

    Date: Mon, 13 Jan 2020 13:35:59 -0500
    From: Jeremy Epstein <jeremy....@gmail.com>
    Subject: When 2 < 7 => failure (Ars Technica)

    Grocery store system does periodic audits of self-checkout users, but the
    system doesn't work if you have fewer than 7 items - the audit requires
    auditing exactly seven items.

    Granted, not the biggest risk in the world, but if the venue didn't
    have in-person employees, what would the customer do?

    https://arstechnica.com/staff/2020/01/how-i-broke-my-grocery-stores-app-by-not-buying-enough-stuff/

    ------------------------------

    Date: Tue, 7 Jan 2020 20:18:50 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Make It Your New Year's Resolution Not to Share Misinformation
    (Mother Jones)

    https://www.motherjones.com/politic...years-resolution-not-to-share-misinformation/

    Not profound but worth sharing with the less tech-savvy.

    ------------------------------

    Date: Fri, 17 Jan 2020 11:50:03 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Inside the Feds' Battle Against Huawei (WiReD)

    https://www.wired.com/story/us-feds-battle-against-huawei/

    Long, interesting...

    ------------------------------

    Date: Mon, 6 Jan 2020 19:57:42 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple Is Bullying a Security Company with a Dangerous DMCA Lawsuit
    (iFixit)

    https://www.ifixit.com/News/apple-is-bullying-a-security-company-with-a-dangerous-dmca-lawsuit

    ------------------------------

    Date: Mon, 6 Jan 2020 19:58:52 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How to Protect Yourself From Real Estate Scams (NYTimes)

    https://www.nytimes.com/2020/01/03/realestate/how-to-protect-yourself-from-real-estate-scams.html

    Not entirely new, but worth reading how it works, what to do and not to.

    ------------------------------

    Date: Fri, 17 Jan 2020 10:14:25 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Dutch Artists Celebrate George Orwell's Birthday By Putting Party
    Hats On Surveillance Cameras (BuzzFeed News)

    https://www.buzzfeednews.com/articl...celebrate-george-orwells-birthday-by-adorning

    ------------------------------

    Date: Mon, 06 Jan 2020 20:27:28 +0000
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: reliability of computers (RISKS-31.53)

    This brought back memories from a guy at the company where I used to work,
    as he told of being called in as an expert witness on something very similar
    back in the 1990s. As I recall, he said that two banks or building
    societies (mortgage providers) had merged; they had totally different
    computer systems, but the new managers simply fired one of the support teams
    and expected the other to cope with both systems, which they struggled to
    do. His expert opinion was that security on the unsupported system was a
    disaster area, with security features not enabled, passwords and log-ins
    left with default settings, etc. As mentioned, he felt sympathy for the
    police officer, who queried some transactions on his account and ended up
    being charged with attempting to obtain money by deception. The
    geographical location for the case was Woodbridge, Suffolk.

    By the way, there was a similar "our computers are never wrong" item on a
    BBC radio programme covering consumer affairs a couple of months ago. This
    featured a woman with a regular Chip&PIN credit/debit card, which had
    expired and been routinely replaced by the card provider. She was told to
    cut up the old one but forgot to do this, however she expected it to be
    cancelled anyway so wasn't concerned. Quite some time later she found
    unexpected transactions on the account and was told "the security with these
    cards has never failed so it must have been stolen", which she knew was
    untrue as she still had it in her hands. After much argument it turned out
    that the old card had *not* been cancelled, so the woman went through normal
    life unknowingly having a pair of duplicate cards, then didn't notice when
    one was stolen...

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.54
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.55

    RISKS List Owner

    Feb 4, 2020 11:55 AM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 31 January 2020 Volume 31 : Issue 55

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [USENET connection was broken for a while. NOW FIXED]
    Georgia election systems could have been hacked before 2016 vote (Politico)
    U.S. will look at sudden acceleration complaints involving 500,000 Tesla
    vehicles (Reuters)
    Alleged MSFT mega breach (Comparitech)
    How the Internet helped crack the Astros' sign-stealing case (ESPN)
    Australian General Practice Medical Data Aggregation Software
    (outcomehealth)
    Microsoft Warns of Unpatched IE Browser Zero-Day That's Under Active Attacks
    (The Hacker News)
    Is LongFi the Next Wireless Revolution? (LifeWire)
    Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and
    Cryptojacking (Darkreading)
    Recent paychecks are smaller for some feds due to National Finance Center
    error (Federal News Network)
    The Secretive Company That Might End Privacy as We Know It (NYTimes)
    London police to roll out live facial recognition across the city
    (Janosch Delcker, Politico Europe)
    The world's 2,153 billionaires are richer than 4.6 billion people combined,
    Oxfam says (Business Insider)
    Hospitals Give Tech Giants Access to Detailed Medical Records (WSJ)
    The Navy cryptically says it has top-secret UFO briefings that would cause
    'exceptionally grave damage' to US national security if published
    (NYTimes)
    Panicking About Your Kids' Phones: New Research Says Don't
    (Nathaniel Popper)
    Singapore updates AI governance model with real-world cases
    (The Straits Times)
    Clearview app lets strangers find your name, info with snap of a photo,
    report says (CNET)
    College career centers teach job applicants how to impress AI systems (CNN)
    Banning Facial Recognition Isn't Enough (Bruce Schneier, NYTimes)
    It May Be the Biggest Tax Heist Ever. And Europe Wants Justice
    (The New York Times)
    India Restores Some Internet Access in Kashmir After Long Shutdown (NYTimes)
    Y2038 is here (Twitter)
    Yikes, friend's LinkedIn account hacked and spamming (Google)
    >From a car dealer (PGN)
    Re: "Don't expect a return to the browser wars" (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 17 Jan 2020 15:25:56 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Georgia election systems could have been hacked before 2016 vote
    (Politico)

    "[W]hat Logan's findings show us is that vulnerabilities were not just
    hypothetical as the state had been claiming. Now we know that it was a very
    real risk, but what we don't know is just how bad did it get. And the public
    deserves to know," she said.

    Georgia used the server to distribute critical election and voter
    registration files to counties throughout the state. However, the state has
    insisted that it never distributed files to program voting machines through
    the server. Instead, it delivered these files to counties physically. But if
    the server was compromised, it could have been a vehicle to distribute
    malware to any county election worker who connected to it.

    Georgia's secretary of state, Brad Raffensperger, did not respond
    immediately to a request for comment. Kemp served as secretary of state at
    the time of the 2016 election, before being elected governor in 2018.

    The Center for Election Systems at Kennesaw State University, which was
    responsible for programming all of the voting machines in Georgia before
    every election, owned and operated the server in question. That server was
    already known to have security issues.

    As POLITICO first reported, months before the 2016 election, Lamb discovered
    that the KSU server was improperly secured so that anyone could access
    sensitive election data stored on it, and it also had an unpatched
    vulnerability in so-called Drupal software the server used, which would have
    allowed attackers to take control of the server and alter or delete data on
    it, or to post malware that could have infected the computers of election
    officials accessing the server.

    Logan made the discovery by chance when he visited the Center for Election
    Services website to learn more about their role in programming voting
    machines for Georgia.

    After the POLITICO story published in June 2017, the plaintiffs filed their
    lawsuit and sought to obtain the server for evidence supporting their
    contention that Georgia's election systems are not secure and could have
    been tampered with in the 2016 election.

    But officials at Kennesaw wiped the server clean shortly after the
    plaintiffs filed their suit. The FBI had a mirror image of the server, which
    had been made in March 2017, but state officials fought to prevent the
    plaintiffs from obtaining it to examine. They lost that fight last year.

    Only recently was Lamb able to examine the server for evidence of tampering.
    In his affidavit, Lamb said the server appears to have been compromised in
    December 2014, using an unpatched vulnerability called *Shellshock* that had
    been publicly revealed and widely reported three months earlier.

    The Shellshock vulnerability is different from the Drupal one Lamb
    discovered when he visited the Center's website in 2016. Both the Shellshock
    and Drupal vulnerabilities had been publicly exposed around the same time,
    but despite both receiving extensive media coverage and even a Department of
    Homeland Security alert in the case of Shellshock, officials at the Center
    for Election Systems failed to apply a patch to close either of them when
    the patches were released.

    ------------------------------

    Date: Fri, 17 Jan 2020 23:43:39 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. will look at sudden acceleration complaints involving
    500,000 Tesla vehicles (Reuters)

    WASHINGTON (Reuters) - The National Highway Traffic Safety Administration
    (NHTSA) said Friday it will review a petition asking the agency to formally
    investigate and recall 500,000 Tesla Inc vehicles over sudden unintended
    acceleration reports.

    U.S. will look at sudden acceleration complaints involving 500,000 Tesla vehicles

    ------------------------------

    Date: Fri, 24 Jan 2020 4:49:32 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Alleged MSFT mega breach (Comparitech)

    250 million Microsoft customer service & support records exposed

    "Over the New Year, Microsoft exposed nearly 250 million Customer Service
    and Support (CSS) records on the web. The records contained logs of
    conversations between Microsoft support agents and customers from all over
    the world, spanning a 14-year period from 2005 to December 2019. All of the
    data was left accessible to anyone with a web browser, with no password or
    other authentication needed."

    ------------------------------

    Date: Sat, 18 Jan 2020 19:38:00 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: How the Internet helped crack the Astros' sign-stealing case (ESPN)

    How the internet helped crack the Astros' sign-stealing case

    ------------------------------

    Date: Sun, 19 Jan 2020 21:28:37 +1100
    From: "Geoffrey Sinclair" <gsin...@froggy.com.au>
    Subject: Australian General Practice Medical Data Aggregation Software
    (outcomehealth)

    The Australian Government has spent the last few years rolling out
    MyHealthRecord, a centralised personal electronic health record for every
    citizen which they and relevant medical staff can access. It has a widely
    publicised opt out mechanism and around 15% of the population have done so.
    The latest report indicates it is underutilised due to a variety of factors
    including the usual software incompatibilities.

    However a much quieter data gathering is going on. A software product
    called Polar GP (and/or other suites like PEN Cat, this is about Polar GP)
    is being offered free to General Practitioners as a way for big data to come
    to them, enabling detailed data analysis of their practice and patients, and
    has been around since early 2018 at least and went live on 1 August 2019.
    Polar also installs a program called Hummingbird to copy data offsite.

    This is part of an Australian Government initiative to upload GP data,
    encouraged with incentive payments, all practices have a 12 month window to
    comply to relevant standards. Privacy is covered by the anonymity and
    public benefit parts of the privacy act. Patient records are given an ID
    and practice number as part of the process of deleting individual
    identifying material, but birth date and complete medical histories are
    being exchanged and this is coupled with the relatively limited number of
    patients at each practice.

    Since the practice is considered to own the data it is they who consent to
    its sharing, the patient needs to request an opt out.

    Data is nominally sent via the government funded local, not for profit,
    Primary Health Network company which then claims ownership of the records
    and is expected to be a main user of the uploaded data, which is ultimately
    copied to the Australian Institute of Health and Welfare.

    The uploaded data, less the individual identifying material, is sent to a
    central repository, managed/maintained by a private company called Outcome
    Health, the practice sends hourly updates of the medical data, while holding
    the key to link it to the local records.

    The intention is to allow a number of organisations, including the practice,
    to look at the aggregated data for the benefits that can bring to health
    services. This idea is supported by the Royal Australian College of General
    Practitioners. Reports can be generated with medical and/or financial
    details.

    To quote one of the websites,

    "POLAR is suitable for use by all general practice staff, including
    practice principals, general practitioners, nurses, practice managers,
    business managers and admin staff.

    POLAR performs a data collection (extracts changed data) from the practice
    software every five minutes. The identified and de-identified practice
    data is encrypted using industry endorsed algorithms similar as those used
    in the health, banking and e-commerce sectors. The encrypted identified
    data is stored locally with the POLAR software.

    The encrypted de-identified data is uploaded directly to the POLAR data
    warehouse (located in Australia). Overnight the accumulated de-identified
    data is build into POLAR Reports and made available for the viewing by the
    practice the following morning. When POLAR is opened at the practice the
    locally stored identified data and the de-identified data drawn from the
    POLAR Data Warehouse are unencrypted locally and matched enabling reports
    to be viewed and analysed.

    POLAR software is developed by Outcome Health. Outcome Health are the
    custodians of the POLAR Data Warehouse. De-identified patient data is
    securely stored in the POLAR Data Warehouse (in Australia) for population
    health planning ....

    Support for POLAR is provided free by the individual Primary Health
    Networks (PHNs)."

    Posters put up in the GP offices appears to be about the limit of the
    publicity, the sign-up documentation list includes,

    "Step 5: A3 GP Poster (option 1 for reception area) or A3 GP Poster (option
    2 for reception area) documents - download, print and display in your
    reception area - option 1 or option 2 - your choice. Call us and we can send
    you a printed version."

    The posters indicate you need to ask at reception if you do not want your
    data included. The local GP practice had two posters displayed.

    Despite the software being in use for over 5 months no one at the practice
    had any idea of what Polar was or did, confusing it with MyHealthRecord,
    contending it really did not matter and trying the "put it in writing"
    approach. Even though the agreement to use the software requires the
    signatures of an authorised person plus witness and appoints a nominated
    administrator. In the end the practice called one of the relevant Primary
    Health Network IT people who clarified the situation. The person was
    acutely aware of the risk/reward equation along with the progress in
    re-identifying data and agreed to send written confirmation my existing data
    record had been deleted plus that no further uploads would be done. The
    written confirmation was supplied promptly.

    POLAR Log in - POLAR Log in page uses Javascript.
    Outcome Health: Welcome to Outcome Health

    The GP practice also has a new booking system which uses, and staff trained
    to ask for, your birth date as the primary identifier when making an
    appointment, and has the booking software on the same system as email. If
    you do not supply a birth date the staff generally call it out "to confirm"
    it is you.

    ------------------------------

    Date: Sat, 18 Jan 2020 09:17:27 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Microsoft Warns of Unpatched IE Browser Zero-Day That's Under
    Active Attacks (The Hacker News)

    EXCERPT:

    Internet Explorer is dead, but not the mess it left behind.

    Microsoft earlier today issued an emergency security advisory warning
    millions of Windows users of a new zero-day vulnerability in Internet
    Explorer (IE) browser that attackers are actively exploiting in the wild --
    and there is no patch yet available for it.

    The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote
    code execution issue that exists in the way the scripting engine handles
    objects in memory of Internet Explorer and triggers through JScript.dll
    library.
    <{{windowTitle}}>

    A remote attacker can execute arbitrary code on targeted computers and take
    full control over them just by convincing victims into opening a
    maliciously crafted web page on the vulnerable Microsoft browser.

    "The vulnerability could corrupt memory in such a way that an attacker
    could execute arbitrary code in the context of the current user. An
    attacker who successfully exploited the vulnerability could gain the same
    user rights as the current user," the advisory says.

    "If the current user is logged on with administrative user rights, an
    attacker who successfully exploited the vulnerability could take control of
    an affected system. An attacker could then install programs; view, change,
    or delete data; or create new accounts with full user rights."

    Microsoft is aware of `limited targeted attacks' in the wild and working on
    a fix, but until a patch is released, affected users have been provided
    with workarounds and mitigation to prevent their vulnerable systems from
    cyberattacks.

    The affected web browsing software includes -- Internet Explorer 9, Internet
    Explorer 10, and Internet Explorer 11 running on all versions of Windows 10,
    Windows 8.1, and the recently-discontinued Windows 7.

    Workarounds: Defend Against Attacks Until A Patch Arrives. [...]

    Microsoft Warns of Unpatched IE Browser Zero-Day That's Under Active Attacks
    {{windowTitle}}

    ------------------------------

    From: Gabe Goldberg <ga...@gabegold.com>
    Date: Tue, 21 Jan 2020 14:47:38 -0500
    Subject: Is LongFi the Next Wireless Revolution? (LifeWire)

    Author writes:

    IoT and Our Low-Powered Sensor Future

    There are, by some measures, more than 30 billion Internet of Things (IoT)
    devices in use around the world. Virtually all of them live on Wi-Fi and
    cellular networks, but a small number, mostly tracking devices, are
    communicating in essentially a third way, on a LongFi network powered by
    Helium's small, consumer hot spots. And if Helium has its way, the LongFi
    network will change the way millions of low-powered devices communicate and
    how widely-distributed networks are built.

    Even though Helium has been around for 6 years, I’d never heard of it and
    hesitated to accept a CES meeting with CEO and Co-Founder Amir Haleem. The
    concept, though -- a peer-to-peer wide-area wireless network with a
    crypto-currency angle -- was intriguing. Plus, the company was co-founded by
    Napster founder Shawn Fanning. [...]

    Building such a network, even without the infrastructure overhead of LTE or
    5G is not easy, but Helium cooked up an unusual solution. The company
    encourages consumers to put a Helium Hotspot in their home by making them a
    participant in the economics of the network, which is where Blockchain comes
    in.

    In addition to helping create the LongFi network, the Helium Hotspots are
    cryptocurrency mining systems and, depending on how third parties use the
    encrypted network, their hotspots may mine cryptocurrency in the form of
    Helium Tokens. The cryptocurrency collection is tracked in the Helium
    app. Granted, a Helium Token currently has no value, but someday, possibly
    depending on the scale of the Helium LongFi network, it may.

    That pitch was, somewhat surprisingly, enough to attract a couple hundred
    crypto enthusiasts in Austin, Texas (the network went live last
    summer). Haleem told me they also had no trouble finding takers enmeshed in
    the IoT world.

    Is LongFi the Next Wireless Revolution?

    Risk? IoT + blockchain?

    ------------------------------

    Date: Fri, 24 Jan 2020 11:40:14 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and
    Cryptojacking (Darkreading)

    A fictitious industrial company with phony employees personas, website, and
    PLCs sitting on a simulated factory network fooled malicious hackers -- and
    raised alarms for at least one white-hat researcher who stumbled upon it.

    EXCERPT:

    For seven months, researchers at Trend Micro ran a legitimate-looking phony
    industrial prototyping company with an advanced interactive honeypot network
    to attract would-be attackers.

    The goal was to create a convincing-looking network that attackers wouldn't
    recognize as a honeypot so the researchers could track and study attacks
    against the phony factory in order to gather intel on the real threats to
    the industrial control system (ICS) sector today.

    The faux company's factory network, which they purposely configured with
    some ports exposed to the Internet from May through December of last year,
    was mostly hit with the same types of threats that IT networks face:
    ransomware, remote access Trojans (RATs), malicious cryptojacking, and
    online fraud, as well as botnet-style beaconing malware that infected its
    robotics workstation for possible lateral movement.

    But there also were a few more alarming incidents with shades of more
    targeted intent. In one attack on 25 Aug 2019, for instance, an attacker
    worked its way around the robotics system, closed the HMI application, and
    then powered down the system. Later that month, an attacker was able to
    start up the factory network, stop the phony conveyer belt - and then shut
    down the factory network. Attackers via the HMI shut down the factory and
    locked the screen, while another opened the log view of the robot's optical
    eye. [...]
    Threat Intelligence News, Analysis, Discussion, & Community

    ------------------------------

    Date: Tue, 21 Jan 2020 20:53:30 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Recent paychecks are smaller for some feds due to National Finance
    Center error (Federal News Network)

    /This story has been updated on Friday, Jan. 17 at 9:30 a.m. to indicate
    that some NFC employees have received larger paychecks than usual./

    Recent paychecks are smaller for some feds due to National Finance Center error | Federal News Network

    ...well, then it's OK, that balances things.

    ------------------------------

    Date: January 19, 2020 6:03:03 JST
    From: Ellen Ullman <ull...@well.com>
    Subject: The Secretive Company That Might End Privacy as We Know It (NYTimes)

    A little-known start-up helps law enforcement match photos of unknown people
    to their online images -- and "might lead to a dystopian future or
    something," a backer says."

    This application scraps social media for its database of images,
    approximately 3 billion photographs. It claims it can recognize individuals
    wearing hats and glasses, also faces in profile. Its efficacy and accuracy
    have not been independently tested, yet it is in increasing use by police
    departments nationally.

    https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html

    ------------------------------

    Date: Fri, 24 Jan 2020 10:42:48 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: London police to roll out live facial recognition across the city
    (Janosch Delcker, Politico Europe)

    Police in the British capital are set to deploy automated facial recognition
    technology across the city, it was announced today.

    ``The use of live facial recognition technology will be intelligence-led and
    deployed to specific locations in London,'' the Metropolitan Police Service
    said in a statement, arguing that this ``will help tackle serious crime,
    including serious violence, gun and knife crime, child sexual exploitation
    and help protect the vulnerable.''
    <http://news.met.police.uk/news/met-...live-facial-recognition-lfr-technology-392451>

    Democratic governments in the West are increasingly following the example of
    authoritarian regimes in deploying the technology, which allows them to scan
    faces in crowds, compare the results with stored data and identify
    individuals in real time.

    Civil rights advocates have warned that such *live* or *automated* facial
    recognition systems pave the way for mass surveillance on an unprecedented
    scale, but in a landmark case earlier this year, a U.K. court ruled that
    South Wales Police had used similar technology lawfully.
    <https://www.politico.eu/article/uk-court-backs-police-in-facial-recognition-lawsuit/>

    Earlier today, German news wire DPA reported that the German interior
    ministry dropped plans to roll out similar technology at over a hundred
    train stations across the country, following warnings by legal experts that
    the use would likely infringe the country's constitution.

    ------------------------------

    Date: Mon, 20 Jan 2020 10:54:13 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: The world's 2,153 billionaires are richer than 4.6 billion people
    combined, Oxfam says (Business Insider)

    - The world's 2,153 billionaires have more wealth than 4.6 billion
    people combined, Oxfam's latest report on inequality found.
    - The richest 1% are more than twice as wealthy as 6.9 billion people,
    or nearly 90% of the human population, the report estimated.
    - A key driver of the wealth gap is that women and girls put in 12.5
    billion hours of unpaid care work every day, the Oxfam researchers argued.
    - Their recommendations include investing in national care, passing laws
    to protect and pay care workers, and ending extreme wealth.

    EXCERPT:

    The world's 2,153 billionaires are richer than 4.6 billion people -- 60% of
    the global population -- combined, according to "Time to Care
    <https://oxfamilibrary.openrepositor...0928/bp-time-to-care-inequality-200120-en.pdf>,"
    Oxfam's latest report on inequality.

    "Our broken economies are lining the pockets of billionaires and big
    business at the expense of ordinary men and women," Oxfam India CEO Amitabh
    Behar said in a press release
    <https://www.oxfam.org/en/press-releases/worlds-billionaires-have-more-wealth-46-billion-people>
    ahead
    of this week's World Economic Forum in Davos, an annual gathering of
    business, academic, and political leaders.

    "No wonder people are starting to question whether billionaires should even
    exist," Behar added.

    The richest 1% are more than twice as wealthy as 6.9 billion people, or
    nearly 90% of the human population, the report's authors found. The 22
    wealthiest men in the world, led by Amazon CEO Jeff Bezos and Microsoft
    cofounder Bill Gates, possess more wealth than all the women in Africa put
    together, they added.

    The Oxfam researchers highlighted a key driver of the issue: women and
    girls put in 12.5 billion hours of unpaid care work every day, contributing
    $10.8 trillion to the global economy each year -- more than triple the size
    of the global tech industry, by their estimates.

    "This great divide is based on a flawed and sexist economic system that
    values the wealth of the privileged few, mostly men, more than the billions
    of hours of the most essential work -- the unpaid and underpaid care work
    done primarily by women and girls around the world," they said.
    The authors made several recommendations to narrow the gap: Invest in
    national care to lessen the burden of care work shouldered by women and
    girls, pass laws to protect carers' rights and pay care workers a living
    wage, give carers a say in relevant decisions, challenge regressive and
    sexist norms, and ensure businesses value care work...

    [...]
    https://markets.businessinsider.com...llion-people-combined-oxfam-2020-1-1028829249

    ------------------------------

    Date: Mon, 20 Jan 2020 11:14:51 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hospitals Give Tech Giants Access to Detailed Medical Records (WSJ)

    Deals with Microsoft, IBM and Google reveal the power medical providers have
    in deciding how patients' sensitive health data is shared

    Melanie Evans, *WSJ*, 20 Jan 2020

    https://www.wsj.com/articles/hospit...ccess-to-detailed-medical-records-11579516200

    ------------------------------

    Date: Sat, 18 Jan 2020 15:53:46 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The Navy cryptically says it has top-secret UFO briefings that would
    cause 'exceptionally grave damage' to US national security if published
    (NYTimes)

    [PGNed Via Geoff Goodfellow]

    - The Navy says it has material about UFOs that, if released, "would cause
    exceptionally grave damage to the National Security of the United
    States."

    - The Navy said it "discovered certain briefing slides that are classified
    TOP SECRET" in response to a freedom-of-information request, which asked
    about a series of videos that showed pilots baffled by mysterious, fast
    objects in the sky.

    - The Navy previously confirmed it was treating these objects as UFOs --
    which means they are being treated as unexplained but not necessarily
    extraterrestrial.
    - One of the videos was published by published by The New York Times in
    2017, and pilots told *The Times* they saw the objects accelerate, stop,
    and turn in ways that went beyond known aerospace technology.
    <https://www.nytimes.com/2019/05/26/us/politics/ufo-sightings-navy-pilots.html>,

    EXCERPT:

    The Navy has said it has top-secret information about unidentified flying
    objects that could cause "exceptionally grave damage to the National
    Security of the United States" if released.

    A Navy representative responded to a Freedom of Information Act request sent
    by a researcher named Christian Lambright by saying the Navy had "discovered
    certain briefing slides that are classified TOP SECRET," Vice reported last
    week.
    <https://www.vice.com/en_us/article/...-classified-video-of-an-infamous-ufo-incident>

    But the representative from the Navy's Office of Naval Intelligence said
    "the Original Classification Authority has determined that the release of
    these materials would cause exceptionally grave damage to the National
    Security of the United States."

    The person also said the Navy had at least one related video classified as
    "SECRET."

    Vice said it independently verified the response to Lambright's request with
    the Navy.
    <https://www.vice.com/en_us/article/...-classified-video-of-an-infamous-ufo-incident>

    Lambright's request for information was related to a series of videos
    showing Navy pilots baffled by mysterious, fast objects in the sky.
    <https://ufos-documenting-the-eviden.../office-of-naval-intelligence-oni-admits.html>

    The Navy previously confirmed it was treating these objects as UFOs...

    https://www.businessinsider.com/nav...to-ufo-sightings-would-damage-security-2020-1

    ------------------------------

    Date: Sun, 26 Jan 2020 10:21:01 -0700
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Panicking About Your Kids' Phones: New Research Says Don't
    (Nathaniel Popper)

    *The New York Times*, 17 Jan 2020

    SAN FRANCISCO — It has become common wisdom that too much time spent on
    smartphones and social media is responsible for a recent spike in anxiety,
    depression and other mental health problems, especially among teenagers.

    But a growing number of academic researchers have produced studies that
    suggest the common wisdom is wrong.

    The latest research, published on Friday by two psychology professors,
    combs through about 40 studies that have examined the link between social
    media use and both depression and anxiety among adolescents. That link,
    according to the professors, is small and inconsistent.

    "There doesn't seem to be an evidence base that would explain the level of
    panic and consternation around these issues," said Candice L. Odgers, a
    professor at the University of California, Irvine, and the lead author of
    the paper, which was published in the Journal of Child Psychology and
    Psychiatry.

    https://www.nytimes.com/2020/01/17/technology/kids-smartphones-depression.html

    ------------------------------

    Date: Wed, 22 Jan 2020 18:34:23 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Singapore updates AI governance model with real-world
    cases (The Straits Times)

    https://www.straitstimes.com/world/spore-updates-ai-governance-model-with-real-world-cases

    The voluntary framework can be found here: https://www.imda.gov.sg/AI. It
    establishes fundamentally aspirational guidelines for organizations that
    adopt AI-based technology into their operations and/or products. The
    framework emphasizes these two key values:

    1) "Decisions made by AI should be EXPLAINABLE, TRANSPARENT & FAIR"
    2) "AI systems should be HUMAN-CENTRIC"

    That the framework conditionally expresses these progressive values reveals
    their portentous consequence were they applied as law and regulation. AI
    capabilities subject to demonstrate "EXPLAINABLE, TRANSPARENT & FAIR"
    operation and outcome, without exemption, would likely impose undue
    commercial liability and risk burden.

    Imagine if the AI capability was investigated, and shown (via logfile,
    transaction stream, sequence structures, judicial review proceedings, etc.)
    to render biased data processing results that a business uses for human
    capital management and hiring decisions, or performs loan approval, or
    authorizes medical expense payment? The consequences would likely be costly
    to both brand and valuation -- a result that strongly resonates with
    for-profit organizations.

    Some forms of bias are benign -- product material choice affects color-blind
    individuals, but might be unavoidable. If the product label clearly
    discloses this fact (not fit for use if color-blind, in black-and-white),
    the manufacturer is likely free from liability.

    Employment bias attributed to age, gender, ethnicity, etc. is not benign.
    AI-hiring bots need to transparently disclose their justification for
    candidate employment approval or rejection. Automatic trust is not merited
    in this case. Human review and oversight of AI conclusions are required to
    double-check machine outcome.

    Malcolm Gladwell's "Talking to Strangers: What We Should Know about the
    People We Don't Know," teaches that human trust between humans hinges on the
    "Truth Default" concept. By default, humans believe their peers. He explores
    and discusses conditions that contribute to trust determination. He explains
    the elusive nature of human deception, and the challenges that burden
    experienced interrogators (judges, detectives, counter-intelligence agents,
    etc.) attempting to identify it.

    AI algorithm decisions might one day be automatically judged for bias if an
    international reference standard existed for this context. This "bias
    reference standard" would be analogous to the kilogram, meter, or second,
    but it would apply to AI algorithm bias detection and context.

    It is doubtful that a software stack, especially one using conditional
    Boolean logic, can serve in this reference capacity. It is unlikely that a
    human can engineer it directly. Perhaps an artificial generalized
    intelligence can evolve to serve humans in this magnanimous capacity. Until
    a universal bias reference standard emerges, a bias-free AI algorithm, or
    equivalent computation structure hosted via quantum, neuromorphic, and/or
    analog computers, appears unlikely to materialize.

    Unless governments tighten regulations and toughen enforcement, criminals
    and scurrilous interests will exploit AI at the public's expense.

    Scam surveillance programs, enhanced malware detection platforms, may
    comprise the next technological disruption that entrepreneurs and startups
    pursue. How will their unbiased trust be earned and shown to serve the
    public interest? Will they yield explainable, transparent, and fair outcomes
    that can withstand legal scrutiny?

    ------------------------------

    Date: Mon, 20 Jan 2020 10:51:17 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Clearview app lets strangers find your name, info with snap of a
    photo, report says (CNET)

    EXCERPT:

    What if a stranger could snap your picture on the sidewalk then use an app
    to quickly discover your name, address and other details? A startup called
    Clearview AI <https://clearview.ai/> has made that possible, and its app is
    currently being used by hundreds of law enforcement agencies in the US,
    including the FBI, says a Saturday report in The New York Times.
    <https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html>

    The app, says *The Times*, works by comparing a photo to a database of more
    than 3 billion pictures that Clearview says it's scraped off Facebook,
    Venmo, YouTube and other sites. It then serves up matches, along with links
    to the sites where those database photos originally appeared. A name might
    easily be unearthed, and from there other info could be dug up online.

    The size of the Clearview database dwarfs others in use by law enforcement.
    The FBI's own database, which taps passport and driver's license photos, is
    one of the largest, with over 641 million images of US citizens.

    The Clearview app isn't currently available to the public, but the Times
    says police officers and Clearview investors think it will be in the
    future. [...]

    https://www.cnet.com/news/clearview...r-name-info-with-snap-of-a-photo-report-says/

    ------------------------------

    Date: Sat, 18 Jan 2020 10:58:10 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: College career centers teach job applicants how to impress AI
    systems (CNN)

    It seems that hiring companies use AI system to analyze not just CV's, but
    also video job interviews.

    Full story:

    https://edition.cnn.com/2020/01/15/...n1440&utm_medium=email&utm_placement=etcetera

    ------------------------------

    Date: January 20, 2020 22:49:51 JST
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Banning Facial Recognition Isn't Enough (Bruce Schneier, NYTimes)

    [via Dave Farber]

    Bruce Schneier, 20 Jan 2020
    The whole point of modern surveillance is to treat people differently, and
    facial recognition technologies are only a small part of that.

    https://www.nytimes.com/2020/01/20/opinion/facial-recognition-ban-privacy.html

    Communities across the United States are starting to ban facial recognition
    technologies. In May of last year, San Francisco banned facial recognition;
    the neighboring city of Oakland soon followed, as did Somerville and
    Brookline in Massachusetts (a statewide ban may follow). In December, San
    Diego suspended a facial recognition program in advance of a new statewide
    law, which declared it illegal, coming into effect. Forty major music
    festivals pledged not to use the technology, and activists are calling for a
    nationwide ban. Many Democratic presidential candidates support at least a
    partial ban on the technology.

    These efforts are well intentioned, but facial recognition bans are the
    wrong way to fight against modern surveillance. Focusing on one particular
    identification method misconstrues the nature of the surveillance society
    we're in the process of building. Ubiquitous mass surveillance is
    increasingly the norm. In countries like China, a surveillance
    infrastructure is being built by the government for social control. In
    countries like the United States, it's being built by corporations in order
    to influence our buying behavior, and is incidentally used by the
    government.

    In all cases, modern mass surveillance has three broad components:
    identification, correlation and discrimination. Let's take them in turn.

    Facial recognition is a technology that can be used to identify people
    without their knowledge or consent. It relies on the prevalence of cameras,
    which are becoming both more powerful and smaller, and machine learning
    technologies that can match the output of these cameras with images from a
    database of existing photos.

    But that's just one identification technology among many. People can be
    identified at a distance by their heart beat or by their gait, using a
    laser-based system. Cameras are so good that they can read fingerprints and
    iris patterns from meters away. And even without any of these technologies,
    we can always be identified because our smartphones broadcast unique numbers
    called MAC addresses. Other things identify us as well: our phone numbers,
    our credit card numbers, the license plates on our cars. China, for example,
    uses multiple identification technologies to support its surveillance state.

    Once we are identified, the data about who we are and what we are doing can
    be correlated with other data collected at other times. This might be
    movement data, which can be used to *follow* us as we move throughout our
    day. It can be purchasing data, internet browsing data, or data about who we
    talk to via email or text. It might be data about our income, ethnicity,
    lifestyle, profession and interests. There is an entire industry of data
    brokers who make a living analyzing and augmenting data about who we are --
    using surveillance data collected by all sorts of companies and then sold
    without our knowledge or consent.

    There is a huge -- and almost entirely unregulated -- data broker industry
    in the United States that trades on our information. This is how large
    internet companies like Google and Facebook make their money. It's not just
    that they know who we are, it's that they correlate what they know about us
    to create profiles about who we are and what our interests are. This is why
    many companies buy license plate data from states. It's also why companies
    like Google are buying health records, and part of the reason Google bought
    the company Fitbit, along with all of its data.

    The whole purpose of this process is for companies -- and governments -- to
    treat individuals differently. We are shown different ads on the internet
    and receive different offers for credit cards. Smart billboards display
    different advertisements based on who we are. In the future, we might be
    treated differently when we walk into a store, just as we currently are when
    we visit websites.

    The point is that it doesn't matter which technology is used to identify
    people. That there currently is no comprehensive database of heart beats or
    gaits doesn't make the technologies that gather them any less effective. And
    most of the time, it doesn't matter if identification isn't tied to a real
    name. What's important is that we can be consistently identified over
    time. We might be completely anonymous in a system that uses unique cookies
    to track us as we browse the internet, but the same process of correlation
    and discrimination still occurs. It's the same with faces; we can be tracked
    as we move around a store or shopping mall, even if that tracking isn't tied
    to a specific name. And that anonymity is fragile: If we ever order
    something online with a credit card, or purchase something with a credit
    card in a store, then suddenly our real names are attached to what was
    anonymous tracking information.

    ------------------------------

    Date: Sun, 26 Jan 2020 12:31:45 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: It May Be the Biggest Tax Heist Ever. And Europe Wants Justice
    (The New York Times)

    Stock traders are accused of siphoning $60 billion from state coffers, in a
    scheme that one called `the devil's machine'. Germany is the first country
    to try to get its money back.

    https://www.nytimes.com/2020/01/23/business/cum-ex.html

    ------------------------------

    Date: Sun, 26 Jan 2020 16:15:47 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: India Restores Some Internet Access in Kashmir After Long Shutdown
    (NYTimes)

    https://www.nytimes.com/2020/01/26/world/asia/kashmir-internet-shutdown-india.html

    ------------------------------

    Date: Tue, 21 Jan 2020 20:35:47 -0500
    From: Steve Golson <sgo...@trilobyte.com>
    Subject: Y2038 is here (Twitter)

    Wonderful and scary story about Y2038. It's here, now.


    Summary: a batch script that does financial projections 20 years out, dies
    on January 19, 2018.

    No one knew what was wrong at first. This batch job had never, ever
    crashed before, as far as anyone remembered or had logs for. The person
    who originally wrote it had been dead for at least 15 years, and in any
    case hadn't been employed by the firm for decades.

    [Unix Redux. 2038 seemed fairly far ahead when Ken Thompson chose that end
    date. Unix systems will still be around, and we will here more
    beforehand, and then after the fixes don't last, just like Y2K. PLAN
    AHEAD means different things to different folks. PGN]

    ------------------------------

    Date: Mon, 27 Jan 2020 12:21:54 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Yikes, friend's LinkedIn account hacked and spamming (Google)

    ... sending messages within LinkedIn with dodgy links. No reason LinkedIn
    accounts would be immune, so be alert.

    Plenty of previous reports:

    https://www.google.com/search?client=firefox-b-1-d&q=linkedin+account+hacked

    ------------------------------

    Date: Mon, 27 Jan 2020 15:49:04 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: From a car dealer

    Your Recent Service Experience

    TMNA_GEO_NAME_ENUM and BP_EXTERNAL_NAME_TXT would like to thank you for
    choosing a new TMNA_MODEL_NAME_AUTO. We appreciate your business and value
    you as a customer.

    About two weeks ago, we sent an email requesting your feedback. The
    information you provide will help TMNA_GEO_NAME_ENUM, its distributors, its
    affiliates, and BP_EXTERNAL_NAME_TXT continuously improve customer
    experiences.

    If you have already shared your feedback, please disregard this email.

    This survey will be active through TMNA_SURVEY_EXPIRATION_DATE_TEXT_EMAILS=
    Please begin by responding to the question below. [...]

    Please do not reply to this e-mail as we are not able to respond to messages
    sent to this address.

    ------------------------------

    Date: Tue, 21 Jan 2020 22:17:25 +0000
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: "Don't expect a return to the browser wars".

    I spotted this in a newspaper -- summary follows
    https://www.telegraph.co.uk/technology/2020/01/20/dont-expect-return-browser-wars/

    *The Telgraph*, 20 January 2020

    Don't expect a return to the browser wars. It has been two decades since
    Microsoft and the US government went to war over the former's efforts to
    crush challengers to its Internet Explorer web browser. Explorer's market
    share peaked at around 95pc in 2004 before heading rapidly down with the
    rise of superior rivals such as Mozilla's Firefox, Opera and then Google's
    Chrome. Whether Microsoft lost because of intervention or because free
    market innovation did its job is still a matter of debate. But the firm
    was relegated to an afterthought in the browser wars. Explorer remains the
    butt of many jokes. [Edge] runs on Chromium, the engine built by Google
    for the search company's own Chrome browser. Most net users are
    unconcerned about which web engines they use but they have been a key part
    of the battle between major software companies. Microsoft's [IE] browser
    -- once so dominant it triggered monopoly investigations on two continents
    -- managed to become so irrelevant it was not worth working to
    support. Quite a fall.

    I had to feel a twinge of sympathy for Microsoft as the EU court case
    dragged on for years, and when they paid the fine, hardly anybody was still
    using Internet Explorer anyway...

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.55
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.56

    RISKS List Owner

    Feb 4, 2020 6:47 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 4 February 2020 Volume 31 : Issue 56

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Iowa's Tally-by-App Experiment Fails (WSJ)
    Risks in the Iowa Tally fiasco (Sundry)
    Live frogs (Flyer Talk)
    Computers threaten saffron harvest (Eric Sosman)
    No smoke, no water, no waste. VR could train the next generation of
    firefighters (cnn.com)
    Artificial intelligence-created medicine to be used on humans for first time
    (bbc.com)
    Why asking an AI to explain itself can make things worse (MIT Tech Review)
    AI License Plate Readers Are Cheaper: Drive Carefully (WiReD)
    No more Punxsutawney Phil: It's long overdue for an AI groundhog
    instead, PETA says. (The Washington Post)
    Android Users Beware: this dangerous menace is already hiding on 43 million
    phones (Forbes)
    Why Google Backtracked on Its New Search Results Look (NYTimes)
    Regis University's cyberattack was ``a crisis of the highest order,
    But investigators couldn't trace its origin (Denver Post)
    An artist wheeled 99 smartphones around in a wagon to create fake traffic
    jams on Google Maps (Business Insider)
    Very strange, still receiving security patches/updates for Windows 7
    systems (Gabe Goldberg)
    Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable
    (Security Ledger)
    The Fractured Future of Browser Privacy (WiReD)
    NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk (NYTimes)
    IKEA Promises New Data Controls for Consumers (WSJ)
    Facebook shows you how it stalks you. Here are the privacy settings to
    change. (WashPost)
    Re: Boeing 737s can't land facing west (R. G. Newbury)
    Re: Should Automakers Be Responsible for Accidents? (John Levine)
    Re: Election Security At The Chip Level (John Levine, Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 4 Feb 2020 12:27:23 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Iowa's Tally-by-App Experiment Fails (WSJ)

    Iowa’s Tally-by-App Experiment Fails

    ------------------------------

    Date: Tue, 4 Feb 2020 13:38:15 -0800
    From: "Peter G. Neumann" <peter....@sri.com>
    Subject: Risks in the Iowa Tally fiasco (Sundry)

    https://go.ind.media/webmail/546932/550762215/0ed6efde19172f984587fb6624e=
    4e481dc208bc0a3090465ab7fedfcc3c2b280=20


    Shadow Inc reportedly sent out the caucus reporting app via TestFairy, which
    seemingly could enable lots of intruders to interpose themselves.

    TestFairy Documentation
    Here’s the Shadow Inc. App That Failed in Iowa Last Night

    [However, officials were quick to state that this was a "code error", not
    a hacking episode. Nevertheless, the entire system seems rather flaky, as
    do most of the other approaches to ensuring voting integrity. PGN]

    ------------------------------

    Date: Sat, 1 Feb 2020 12:38:47 +0000
    From: "Wendy M. Grossman" <wen...@pelicancrossing.net>
    Subject: Live frogs (Flyer Talk)

    Here's a risk you won't have solved in the 1960s on Multics. From the
    FlyerTalk American Airlines forum:

    Delayed due to... live frogs - FlyerTalk Forums

    >> Delayed due to... live frogs

    Yep you read that correctly, live frogs. On 2559 yesterday from DFW>DTW, we
    were delayed a few minutes at the gate in DFW due to a load of live
    frogs. According to the captain (who made two very nice, detailed
    announcements about it), there was a load of live frogs in the aft cargo
    hold and the computer just didn't like it and either wouldn't allow them
    there or it couldn't compute them being there. So thankfully instead of
    keeping us delayed, they offloaded them for a later flight.

    The funniest part was that after we landed, and on the looooong taxi at DTW
    to the gate, I heard what sounded like frogs. It was probably just somebody
    still asleep and snoring intermittently, but part of me wonders if there was
    a load in the forward hold that did get to travel.

    Just might be the funniest delay I've encountered.>>

    ------------------------------

    Date: Tue, 4 Feb 2020 13:55:29 -0500
    From: Eric Sosman <eso...@comcast.net>
    Subject: Computers threaten saffron harvest

    Over-reliance on technology may doom the United States' latest attempt to
    produce saffron in commercially significant quantities. The spice comes from
    the /crocus sativus/ flower, grown primarily in a region stretching from
    Spain to Kashmir. From (admittedly fragmentary) reports it appears American
    farmers and entrepreneurs have been using computer- aided methods to attempt
    to grow this crocus in the American Midwest, perhaps for fear of (or in
    hopes of) higher tariffs against the import of foreign saffron.
    Unfortunately, the effort has run into a snag: computer malfunctions are
    said to have messed up the Iowa crocuses.

    ------------------------------

    Date: Wed, 29 Jan 2020 16:02:10 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: No smoke, no water, no waste. VR could train the next generation of
    firefighters (cnn.com)

    Fighting wildfires with virtual reality - CNN

    Conserving material resources during training, via computer simulation, is
    an environmental gain, but can a simulator prepare superior fire-fighter
    capability for deployment during a city-wide conflagration, or during a
    catastrophic forest fire?

    The essay describes mechanical fire-hose force feedback as a simulator
    feature. The simulation effectively renders smoke, flame, foam application,
    and other combustion effects. A thermal suit heats up the trainee when
    approaching a simulated flame wall. Is the simulation fidelity sufficiently
    meritorious to fully abandon hands-on training and fire suppression
    equipment deployment?

    I wonder if the simulator can train a firefighter how to use a PyroLance
    (This water gun can cut through concrete)?

    Risk: VR training supplement versus traditional hands-on person-in-the-loop
    firefighter qualification effectiveness.

    ------------------------------

    Date: Thu, 30 Jan 2020 20:10:57 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Artificial intelligence-created medicine to be used on humans for
    first time (bbc.com)

    AI-created drug to be used on humans for first time

    Historically, there's 1000 to 1 odds against a candidate drug succeeding in
    the marketplace. See
    The High Cost of and Uncertain Path to a Blockbuster Drug.

    "Typically, drug development takes about five years to get to trial, but the
    AI drug took just 12 months.

    "Exscienta chief executive Prof Andrew Hopkins described it as a 'key
    milestone in drug discovery.'"

    That AI drug design is applied to accelerate synthesis may improve these
    odds. It would appear to reduce the human effort expended for development.

    Whether or not patient outcome benefit materializes is to be shown (or not)
    by clinical studies, and hopefully, a double-blind clinical study BEFORE
    final regulatory approval is granted.

    ------------------------------

    Date: February 3, 2020 4:06:02 JST
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Why asking an AI to explain itself can make things worse
    (MIT Tech Review)

    Creating neural networks that are more transparent can lead us to over-trust
    them. The solution might be to change how they explain themselves.

    Upol Ehsan once took a test ride in an Uber self-driving car
    <Self-Driving Cars>. Instead
    of fretting about the empty driver's seat, anxious passengers were
    encouraged to watch a *pacifier* screen that showed a car's-eye view of the
    road: hazards picked out in orange and red, safe zones in cool blue.

    For Ehsan, who studies the way humans interact with AI at the Georgia
    Institute of Technology in Atlanta, the intended message was clear: ``Don't
    get freaked out -- this is why the car is doing what it's doing.'' But
    something about the alien-looking street scene highlighted the strangeness
    of the experience rather than reassuring. It got Ehsan thinking: what if the
    self-driving car could really explain itself?

    The success of deep learning
    <Deep Learning tagged stories> is due to tinkering:
    the best neural networks are tweaked and adapted to make better ones, and
    practical results have outpaced theoretical understanding. As a result, the
    details of how a trained model works are typically unknown. We have come to
    think of them as black boxes
    <AI researchers want to study AI the same way social scientists study humans>
    .

    A lot of the time we're okay with that when it comes to things like playing
    Go or translating text or picking the next Netflix show to binge on. But if
    AI is to be used to help make decisions in law enforcement, medical
    diagnosis, and driverless cars, then we need to understand how it reaches
    those decisions -- and know when they are wrong.

    People need the power to disagree with or reject an automated decision, says
    Iris Howley <Iris Howley>, a computer scientist at
    Williams College in Williamstown, Massachusetts. Without this, people will
    push back against the technology. ``You can see this playing out right now
    with the public response to facial recognition systems,'' she says.

    Ehsan is part of a small but growing group of researchers trying to make AIs
    better at explaining themselves, to help us look inside the black box. The
    aim of so-called interpretable or explainable AI (XAI) is to help people
    understand what features in the data a neural network is actually learning
    -- and thus whether the resulting model is accurate and unbiased. [...]

    Why asking an AI to explain itself can make things worse - TECHTELEGRAPH
    https://www.technologyreview.com/s/615110/why-asking-an-ai-to-explain-itself-can-make-things-worse/

    ------------------------------

    Date: Sat, 1 Feb 2020 00:43:26 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: AI License Plate Readers Are Cheaper: Drive Carefully (WiReD)

    https://www.wired.com/story/ai-license-plate-readers-cheaper-drive-carefully/

    ------------------------------

    Date: Thu, 30 Jan 2020 09:08:25 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: No more Punxsutawney Phil: It's long overdue for an AI groundhog
    instead, PETA says. (The Washington Post)

    https://www.washingtonpost.com/nation/2020/01/29/groundhog-peta-punxsutawney/

    PETA has a point: Groundhogs hibernate during Winter; that's what ectotherms
    do.

    But Phil's celebrity status commands performance: he must also visit school
    children during the Winter, pose for magazine covers (Rat Mag, Rodent of The
    Year). He's part of a mandatory PR campaign that sustains Punxsutawney, PA
    tourism foot traffic.

    But simulate Punxsutawney Phil with artificial intelligence to determine if
    Winter will extend by another 6 week? AI is overkill for this purpose.

    Why not employ a Magic 8-ball or a coin-toss to prognosticate an extended
    winter? Granted, these choices lack glamor; they are not newsworthy, but
    they are likely as accurate as the appearance (or not) of Phil's shadow.

    ------------------------------

    Date: Wed, 29 Jan 2020 13:06:10 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Android Users Beware: this dangerous menace is already hiding on 43
    million phones (Forbes)

    ``This shows how hard it is for users to stay safe'', the CEO of mobile
    security firm Upstream warns. The company is about to publish a report into
    the Android threat landscape. The data is staggering. The company has
    unearthed 98,000 malicious apps, which have infected 43 million devices. The
    worst five apps, Dimitris Maniatis tells me, have been downloaded 700
    million times, ``this shows the scale of the issue.''
    <https://www.secure-d.io/mobileadfraud2019report/>

    *And that risk is accelerating. That number of malicious apps is up 50% in
    the last year, and shows every sign of spiraling out of control.*

    This can now be viewed as an endemic problem with mobile apps downloaded
    from Google's Play Store -- despite Google Protect and the App Defense
    Alliance, Some 50% of the bad apps exposed by Upstream *were or are*, in the
    official Play Store. Countless stories have been written about the hundreds
    of malicious apps with hundreds of millions of installs. The key question is
    what is the scale of the issue?
    <https://www.forbes.com/sites/zakdof...e-fixbut-does-it-make-you-safer/#7557b2514337>.

    Upstream has collated the data from its Secure-D security platform, data
    collected by 31 different network operators across 20 different countries,
    data representing the devices 0f almost 700 million different users.

    In its report <https://www.secure-d.io/mobileadfraud2019report/>, Upstream
    explains the methods by which users are enticed to install malicious malware
    and then grant a raft of permissions that goes way beyond what is required
    for the app's claimed purpose. That malware then communicates with
    its controllers, seeking instructions and content to operate. The apps are
    designed to remain hidden, not arousing suspicion, avoiding an uninstall.

    The primary issue with mobile malware is advertising or click fraud.
    Trivial apps that pull unwanted ads onto devices to run in the background or
    as a foreground nuisance. For advertisers, this results in millions of
    dollars of fraudulent charges. For users, the issue is degraded performance,
    drained batteries and huge data bills. There is also the issue that such
    apps can lead to devices being infected with more dangerous malware. [...]

    https://www.forbes.com/sites/zakdof...enace-is-already-hiding-on-43-million-phones/

    ------------------------------

    Date: Sat, 1 Feb 2020 19:52:51 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Why Google Backtracked on Its New Search Results Look (NYTimes)

    The Internet giant, which some lawmakers and regulators say has grown too
    powerful, tweaked the way it displayed ads on search results. It did not go
    over well.

    https://www.nytimes.com/2020/01/31/technology/google-search-results.html

    ------------------------------

    Date: Tue, 28 Jan 2020 19:39:45 -0700
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Regis University's cyberattack was ``a crisis of the highest order,
    But investigators couldn't trace its origin (Denver Post)

    [Follow-up to RISKS-31.39 (29 August 2019)]

    Elizabeth Hernandez, *The Denver Post*, 28 Jan 2020

    Information-technology experts from across Colorado convened at Regis
    University on Tuesday to learn never-before-shared details about last
    year's crippling cyberattack -- an experience the private Jesuit college's
    chief information officer called "a crisis of the highest order."

    A few new details revealed during the presentation:

    * Federal and third-party investigators were unable to determine a root
    cause of the attack, meaning it's unclear how the attack originated

    * The hacker -- determined to be from outside the country -- attacked
    Regis's backups first

    * When faced with the decision to rebuild the IT system or repair it,
    officials decided to rebuild and update

    https://www.denverpost.com/2020/01/28/regis-university-cyberattack-ransomware/

    ------------------------------

    Date: Mon, 3 Feb 2020 16:44:05 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: An artist wheeled 99 smartphones around in a wagon to create
    fake traffic jams on Google Maps (Business Insider)

    https://www.businessinsider.com/google-maps-traffic-jam-99-smartphones-wagon-2020-2

    [Also noted: "Performance artist generates virtual traffic jams in Google
    Maps by pulling a wagon full of smartphones"

    "99 second hand smartphones are transported in a handcart to generate
    virtual traffic jam in Google Maps. Through this activity, it is
    possible to turn a green street red which has an impact in the physical
    world by navigating cars on another route to avoid being stuck in
    traffic. " [...]

    #googlemapshacks
    http://www.simonweckert.com/googlemapshacks.html via

    PGN]

    ------------------------------

    Date: Wed, 29 Jan 2020 15:57:14 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Very strange, still receiving security patches/updates for Windows
    7 systems

    One Windows 7 Ultimate system, one Windows Professional, have Windows
    Security Essentials being updated daily. Was Microsoft kidding about no
    updates after January 14? Or did I get the year wrong? (No, I didn't).
    Plus, the Win 7 Ultimate system got Pop-Up of Doom on January 14. But
    updates keep rolling along. No, I didn't jump through the hoops to purchase
    extended support and I didn't get a gift card saying that someone bought it
    for me.

    It'll be interesting seeing what happens next Patch Tuesday, but still this
    is already puzzling.

    ------------------------------

    From: Shawn Merdinger <shaw...@gmail.com>
    Date: Tue, 28 Jan 2020 19:38:30 -0500
    Subject: Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable
    (Security Ledger)

    https://securityledger.com/2020/01/...res-of-eas-systems-sit-un-patched-vulnerable/

    ------------------------------

    Date: Sat, 1 Feb 2020 00:24:11 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Fractured Future of Browser Privacy (WiReD)

    https://www.wired.com/story/chrome-firefox-edge-browser-privacy/

    ------------------------------

    Date: Sat, 1 Feb 2020 16:32:03 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk
    (NYTimes)

    https://www.nytimes.com/2020/01/31/health/pharmacists-medication-errors.html

    ------------------------------

    Date: Mon, 3 Feb 2020 09:52:36 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: IKEA Promises New Data Controls for Consumers (WSJ)

    https://www.wsj.com/articles/ikea-promises-new-data-controls-for-consumers-11580383800

    ------------------------------

    Date: Sat, 1 Feb 2020 11:28:10 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Facebook shows you how it stalks you. Here are the privacy settings
    to change. (WashPost)

    The new ’Off-Facebook Activity' tool, available around the world Tuesday,
    reminds us we're living in a reality TV program where we forget the cameras
    are always on. Here are the privacy settings to change right now.

    https://www.washingtonpost.com/technology/2020/01/28/off-facebook-activity-page/

    ------------------------------

    Date: Mon, 3 Feb 2020 22:29:39 -0500
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Re: Boeing 737s can't land facing west (RISKS-31.54)

    As a first guess, I would suspect that somewhere in the code, there is a
    conversion from polar to rectangular reference frames (or vice versa) and
    X=r * cos(theta) with theta=270 give zero and either a 'NAN' or divide by
    zero error crashes the program.

    You would need that sort of calculation to find the rhumb and distance,
    knowing the lat/long of the present and destination positions. 'X' is the
    Difference of Latitude in miles (Y is the Departure).

    Using GPS you know the present and destination positions, but the pilot
    wants to know 'how far' and 'what direction'. The calculations will be done
    using true and then, if desired, corrected to magnetic bearings.

    [John Stockton noted:
    Tangent of 270 degrees (and of 90 degrees) is numerically dangerous, each
    being, so to speak, +- infinity.
    Perhaps, to the accuracy of the arithmetic, those 7 runways are EXACTLY 270
    degrees true, and others are only *nearly* 270 degrees true.]

    [PGN noted that this should remind some of us old-timers of the joke about
    the plane that crashed because all the Poles in the Left Half (of the)
    Plane. PGN]

    ------------------------------

    Date: 4 Feb 2020 17:07:51 -0500
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Should Automakers Be Responsible for Accidents?

    > Automaker enterprise liability would have useful incentives that driver
    > liability law misses.
    > https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf

    I can hardly wait:

    "Sorry, sir, you've had three moving violations so we'll have to ask
    you to leave the showroom now."

    ------------------------------

    Date: 4 Feb 2020 17:15:43 -0500
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Election Security At The Chip Level (SemiEngineering via
    Goldberg, RISKS-31.54)

    The comments on this article are much better than the article. They say
    that voting electronically is a well known bad idea, so stop.

    Elections have a unique security model: You need a reliable list of who
    voted, you need a reliable list of who or what they voted for, and you need
    to be confident there's no way to link those two lists. Nothing else works
    that way.

    That's why even though voting machines may look like ATMs, an ATM is a
    dreadful model to use since with ATMs, the bank has full knowledge of all of
    the details of every transaction, e.g., when you were there, who you are,
    what you did, how much money it dispensed, all linked together.

    As has been pointed out too many times, paper ballots dropped into a box,
    along with observers to ensure that only people on the voter list got to
    vote, satisfy the model quite well. If you want to have machines scan and
    count the ballots, that's fine, but the paper ballots are the actual record.

    ------------------------------

    Date: Tue, 4 Feb 2020 17:27:21 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Election Security At The Chip Level (RISKS-31.54)

    ATMs -- maybe only one "advantage": they have your PICTURE, proving
    identity, thanks to ubiquitous security camera. Of course, voter ID laws
    head in that direction introducing another gaggle of problems while solving
    a non-problem.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.56
    ************************
     
  7. ValdostaGatorFan

    ValdostaGatorFan GC Hall of Fame

    1,823
    182
    298
    Aug 21, 2007
    TitleTown, USA
    Boy, that sure caused a mess. I know a guy who worked for the city and involved in the situation who gave me some more info. Contractor allegedly disabled an alarm system while he worked on it. Sorry to our southern neighbors and to the Withlacoochee :(
     
    • Informative Informative x 1
  8. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.57

    RISKS List Owner

    Feb 10, 2020 8:16 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 10 February 2020 Volume 31 : Issue 57

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Backhoes, squirrels, and woodpeckers as DoS vectors (Richard Forno)
    Benjamin Netanyahu's election app potentially exposed data for every Israeli
    voter (WashPost)
    The app that broke the Iowa caucus, an inside look (CNET)
    Tesla Remotely Removes Autopilot Features From Customer's Used Tesla
    Without Any Notice (Clean Technica)
    Recent Car Thefts May Be Related To Carsharing App Getaround, Warns
    D.C. Attorney General (DCist)
    SSL Certificates are expiring... (Cryptography)
    Nasty Linux, macOS sudo bug found and fixed (ZDNet)
    Cisco Flaws Put Millions of Workplace Devices at Risk (WiReD)
    Data leakage from portable versions of Open Office and Libre Office
    (Arthur T.)
    Facebook's Bug Bounty Caught a Data-Stealing Spree (WiReD)
    The `manosphere' is getting more toxic as angry men join the incels
    (MIT Tech Review)
    Explainable AI (Chris Els=C3=A4sser)
    Read the FBI's Damning Case Against the Recently Arrested Nintendo Hacker
    (Vice)
    Who owns your feelings? Short doc shows how big tech uses AI to track
    emotions (CBC)
    Photo Roulette on the App Store (Gabe Goldberg)
    The 'race to 5G' is a myth (WEForum)
    Not all fun and memes: What's the trouble with TikTok? (CBC)
    The Night Sky Will Never Be the Same (The Atlantic)
    Boeing's Starliner space capsule suffered a second software
    glitch during December test flight (WashPost)
    Boeing Refuses to Cooperate With New Inquiry into Deadly Crash (NYTimes)
    NASA Shares Initial Findings from Boeing Starliner Orbital Flight Test
    Investigation (NASA)
    Re: Boeing 737s can't land facing west (Terje Mathisen)
    Re: 99 smartphones ... (3daygoaty, JC Cantrell)
    Re: Artificial intelligence-created medicine to be used on humans for
    first time (Mark Thorson)
    Re: AI-created medicine to be used on humans (Henry Baker)
    Re: Election Security At The Chip Level (John R. Levine)
    Re: Should Automakers Be Responsible for Accidents? (Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 10 Feb 2020 08:53:28 -0500
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: Backhoes, squirrels, and woodpeckers as DoS vectors

    [The video shows] a wireless antenna in California. Network coverage was
    disrupted by an Acorn woodpecker, a 3-ounce bird stashing an estimated 35-50
    gallons/300lbs of acorns.



    Social media have been attributing this to squirrels for a long time. I
    of course try to correct people anytime I see this. It just proves that
    attribution can be really difficult. RF

    [We have had numerous squirrel and a few notable backhoe stories in the
    RISKS archives. But woodpeckers also have had their opportunities, e.g.,
    in RISKS-17.16: ``Woodpeckers could delay shuttle.'' Furthermore, I note
    that the quote "If builders built houses the way programmers write
    programs, the first woodpecker that came along would destroy
    civilization." managed to peck its way into *three* different issues,
    RISKS-10.07 (June 1990), 23.74 (Feb 2005), and 28.21 (August 2014), so
    they keep coming back. A hardy bunch, these woodpeckers. They really get
    around. Indeed, they really get a round hole where there are not even any
    square pegs. PGN]

    ------------------------------

    Date: Mon, 10 Feb 2020 08:36:47 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Benjamin Netanyahu's election app potentially exposed data for
    every Israeli voter (WashPost)

    https://www.washingtonpost.com/worl...f606c0-4bfe-11ea-967b-e074d302c7d4_story.html

    ------------------------------

    Date: Thu, 6 Feb 2020 16:45:00 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The app that broke the Iowa caucus, an inside look (CNET)

    *A cybersecurity company got hold of the code for Shadow, the app used in
    the Iowa caucus, and spoke to CNET about what it found*

    EXCERPT:

    Results from Monday's Iowa caucus were delayed for days because of problems
    with a smartphone app used to tabulate and report results, causing chaos and
    frustration among campaigns and voters. A reported coding issue caused the
    app to only report out partial data, Iowa Democratic Chairman Troy Price
    said in a statement.

    <As Iowa caucuses arrive, Facebook has a trust problem>
    <Switch to new tech mucks up Iowa caucus results>
    <Iowa caucus app debacle: What went wrong? Here's what we know so far>

    Cybersecurity company Blue Hexagon obtained a copy of the app, created by a
    company called Shadow, Inc. Blue Hexagon's head of cyberthreat intelligence
    and operations, Irfan Asrar, spoke with CNET's Dan Patterson about what went
    wrong and the overarching cybersecurity concerns this presents for the rest
    of the 2020 election.
    <>
    <The scariest hacks and vulnerabilities of 2019 | ZDNet>

    Blue Hexagon is still diagnosing exactly why the app failed. But the final
    version of the app has several problems within the code, including links to
    people's personal websites, Asrar said. "What we believe is, this is an
    oversight, and an example of the app being rushed into production," he
    added. The larger concern is that the app was so easy to obtain, which
    means anyone could access the infrastructure supporting it and potentially
    cause damage, Asrar said.

    Watch the video for the full interview
    <https://www.cnet.com/videos/inside-...at-the-mobile-app-that-broke-the-iowa-caucus/>
    and more insight into the Shadow, Inc. app. [...]
    https://www.cnet.com/news/the-app-that-broke-the-iowa-caucus-an-inside-look/

    [The whole situation smells of gross incompetence, trust in flaky
    outsourcing, lack of assurance, testing, and many other problems long
    considered in RISKS. If every computer system is simply badly conceived
    and ultimately flawed and compromisable internally or externally, why
    would you expect anything else here?

    In addition to all of the above, Rachel Maddow had on her 6 Feb 2020 show
    a reprise of the massive denial of service in 2002 in the New Hampshire
    election for Sununu that disrupted telephone banks intending to get out
    the vote for Democrats. This exact DoS was repeated by the Reps in 2020
    to totally disrupt the Iowa caucus after the Dems turned to phone lines to
    call in the results. This kind of disruption is clearly out of control,
    even with the Dem's having overprovisioned their servers. PGN]

    ------------------------------

    Date: Mon, 10 Feb 2020 08:54:45 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Tesla Remotely Removes Autopilot Features From Customer's Used
    Tesla Without Any Notice (Clean Technica)

    EXCERPT:

    One of the less-considered side effects of car features moving from
    hardware to software is that important features and abilities of a car can
    now be removed without any actual contact with a given car. Where once
    de-contenting involved at least a screwdriver (or, if you were in a hurry,
    a hammer), now thousands of dollars of options can vanish with the click of
    a mouse somewhere. And that's exactly what happened to one Tesla owner,
    and, it seems many others.

    Alec (I'll withhold his last name for privacy reasons) bought a 2017 Tesla
    Model S on December 20 of last year, from a third-party dealer who bought
    the car directly from Tesla via auction on November 15, 2019. The car was
    sold at auction as a result of a California Lemon Law buyback, as the car
    suffered from a well-known issue where the center-stack screen developed a
    noticeable yellow border.
    <https://cleantechnica.com/2019/07/06/tesla-rolls-out-uv-light-fix-for-yellowing-screen-border/>

    When the dealer bought the car at auction from Tesla on November 15, it was
    optioned with both Enhanced Autopilot and Tesla's confusingly-named Full
    Self Driving Capability
    together, these options totaled $8,000. You can see them right on the
    Monroney sticker for the car:...
    <https://jalopnik.com/tesla-is-still-using-the-phrase-full-self-driving-to-de-1835012651>
    https://jalopnik.com/tesla-remotely-removes-autopilot-features-from-customer-1841472617

    ------------------------------

    Date: Wed, 5 Feb 2020 18:05:36 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Recent Car Thefts May Be Related To Carsharing App Getaround,
    Warns D.C. Attorney General (DCist)

    “Vehicles listed on Getaround could be at increased risk of theft because
    keys are left inside of the car and the car’s location is visible to anyone
    searching the platform,” according to a release from the OAG.

    https://dcist.com/story/20/02/05/re...ing-app-getaround-warns-d-c-attorney-general/

    Ya think?

    ------------------------------

    Date: February 1, 2020 at 9:08:55 AM GMT+9
    From: Henry Baker <hba...@pipeline.com>
    Subject: SSL Certificates are expiring... (Cryptography)

    ``Forget the Y2K bug, "things" are starting to break as SSL Certificates
    start expiring.''

    Several authority certificates are expiring:
    5/30/2020
    6/21/2020
    9/22/2020
    12/31/2020

    IoT -- Internet of Expired Certificates.

    Perfectly good HW, but with firmware that can't be updated.

    I just hope that implantable medical devices can have their builtin
    certificates updated!

    I wonder how many "smart" *cars* will stop running when their builtin SSL
    certificates expire?

    Problems: bad hash functions (MDx,SHA1) are also causing certificate
    problems even though the RSA algorithm -- even at 1024 bits -- still seems
    to be holding.

    ------------------------------

    Date: Wed, 5 Feb 2020 01:02:54 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Nasty Linux, macOS sudo bug found and fixed (ZDNet)

    Sudo is a very popular, very simple Unix-system sysadmin application. It
    enables users to switch identities for the purpose of running a single
    command. Usually, but not always, it lets you run a command as the root,
    system administrator, user. Sudo's easy to abuse, but it's so darn useful,
    until it's not. A recently discovered sudo bug once more spells out why you
    should be wary of this command.

    In this latest security hole, CVE-2019-18634, Apple Information Security
    researcher Joe Vennix discovered that if the "pwfeedback" option is enabled
    in your sudoers configuration file, any user, even one who can't run sudo or
    is listed in the sudoers file, can crack a system.

    https://www.zdnet.com/article/nasty-linux-macos-sudo-bug-found-and-fixed/

    ------------------------------

    Date: Fri, 7 Feb 2020 10:32:15 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cisco Flaws Put Millions of Workplace Devices at Risk (WiReD)

    To exploit the bugs, attackers would first need a foothold inside a target's
    network, but from there they could fan out quickly, compromising one
    vulnerable Cisco device after another to bore deeper into a system. And once
    attackers controlled a switch or router they could start to intercept
    unencrypted network data, like files and some communications, or access a
    company's *active directory*, which manages authentication for users and
    devices.

    ``It's still hop by hop. As a hacker, you still need an initial attack vector
    into the network,'' says Ang Cui, founder of the IoT security firm Red
    Balloon, who has disclosed numerous Cisco bugs. ``But once you’re there, at
    each hop you have the same vulnerability present -- all the switches,
    firewalls, and routers in a network could be affected by this. So you're
    going to have to own a lot of devices, but once you own all of them you've
    literally taken over every single piece of the network.''

    https://www.wired.com/story/cisco-cdp-flaws-enterprise-hacking/

    ------------------------------

    Date: Fri, 07 Feb 2020 01:06:34 -0500
    From: "Arthur T." <risks2020...@xoxy.net>
    Subject: Data leakage from portable versions of Open Office and Libre Office

    Note: this post is Windows-centric. I'm not sure if a similar problem occurs
    on other platforms.

    Many people run the portable version of Office (Open or Libre) from a
    specific location (such as a thumb drive) in order to keep all data off of
    other locations (such as the C: drive). This might not be working as
    expected.

    One of the first things one does in such a case is verify the locations of
    default files, temp files, etc. The temp files location is a few directories
    down from %temp% (or maybe %tmp%) and probably on C:. So one changes it to a
    directory on the same drive where Office resides. Unfortunately, that
    doesn't work. More unfortunately, Office doesn't tell you that it didn't
    work.

    My first indication was that when I restarted the program, its temp
    directory had reverted to within %temp%. I thought that, even though it
    remembered other changes, it somehow wasn't remembering that one.

    In fact, it's more sinister. Not only is it not remembering it, it's not
    using the updated location. When it starts, it immediately creates files in
    its temp directory, and it keeps using that same directory until Office is
    closed, regardless of what you type in as an override once the program is
    running. Really, it shouldn't let you type an override in for that
    directory, so you'd know it can't be overridden.

    I use Open Office, but web searches suggest: that Libre Office has the same
    problem, that it has existed for a long time, and that it has not been
    fixed.

    For myself, I created a .bat file to reset temp and tmp before starting Open
    Office, and that appears to fix the problem. My .bat file to run Office from
    drive E: is:

    setlocal
    set tmp=e:\temp
    set temp=e:\temp
    start "Open Office on E" "e:\Program
    Files\OpenOffice\OpenOfficePortable.exe"
    endlocal

    ------------------------------

    Date: Sun, 9 Feb 2020 21:29:23 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facebook's Bug Bounty Caught a Data-Stealing Spree (WiReD)

    A few months ago, the company disclosed that apps were siphoning data from
    up to 9.5 million of its users. It only found out thanks to a bug bounty
    submission.

    https://www.wired.com/story/facebook-bug-bounty-app-data-stealing/

    ------------------------------

    Date: Sat, 8 Feb 2020 11:42:35 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: The `manosphere' is getting more toxic as angry men join the incels
    (MIT Tech Review)

    Men from the less extreme end of the misogynistic spectrum are drifting
    toward groups that espouse violence against women, a new study suggests.

    https://www.technologyreview.com/s/...ting-more-toxic-as-angry-men-join-the-incels/

    ------------------------------

    From: Chris Els=C3=A4sser <chris.e...@comcast.net>
    Date: Thu, Feb 6, 2020 at 11:55 AM
    Subject: Explainable AI

    Geoff, Looking over your recent posts on IS & RISKS, I noticed this at the end
    (probably from MIT Tech Review):

    Ehsan is part of a small but growing group of researchers trying to make AIs
    better at explaining themselves, to help us look inside the black box. The
    aim of so-called interpretable or explainable AI (XAI) is to help people
    understand what features in the data a neural network is actually learning
    -- and thus whether the resulting model is accurate and unbiased. [=A6]

    Once again, AI is reinvented!

    But first, it would be nice if the Tech Review writer (Douglas Heaven) knew
    that *interpretable* and *explainable* are not the same thing.

    Second, it would be nice if the writer looked at the extensive literature on
    explanation in AI systems; goes back to the great-grandparent of AI systems,
    MYCIN, and its explanation subsystem. [note: MYCIN's `certainty factors'
    were soon supplanted at Stanford by Bayes networks]

    Per Geoff Hinton, Deep learning NNs are approximations of (full) Bayesian
    classifiers. Explanation of Bayesian inference has long been seen to be in
    need of `explanation' (or perhaps `convincing' :)) because human reason
    under uncertainty has often been found to deviate from Bayesian inference
    (which is provably optimal).

    The earliest reference to explanation of Bayesian inference I've found is
    the following (and it should be obvious why I looked no further ;-)):

    Elsaesser, Christopher (1987) Explanation of Probabilistic Inference for
    Decision Support Systems *Proceedings of the Third Conference on
    Uncertainty in Artificial Intelligence (UAI-87),* Morgan Kaufmann, San
    Francisco, CA.

    That paper reported work I did for my PhD thesis at Carnegie Mellon. My
    techniques were substantially improved and extended by Merek Druzdzel. For
    example:

    Henrion, M. and M. J. Druzdzel (1990). Qualitative and linguistic
    explanations of probabilistic reasoning in belief networks. Proceedings of
    the Sixth Conference on Uncertainty in Artificial Intelligence, pages 10-20
    Cambridge, MA, Association for Uncertainty in AI.

    NOT that re-invention is not worthwhile. Just that at least in this case
    its nothing new. :)

    ------------------------------

    Date: Tue, 4 Feb 2020 18:03:22 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Read the FBI's Damning Case Against the Recently Arrested Nintendo
    Hacker (Vice)

    The hacker who stole from Nintendo for years bragged about it online, and
    didn't even try to hide his real name or activities.

    https://www.vice.com/en_us/article/...against-the-recently-arrested-nintendo-hacker

    ------------------------------

    Date: Thu, 6 Feb 2020 18:55:58 -0700
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Who owns your feelings? Short doc shows how big tech uses AI to
    track emotions (CBC)

    https://www.cbc.ca/news/canada/montreal/stealing-ur-feelings-1.5362954

    Watching Noah Levenson's short documentary Stealing Ur Feelings is
    undoubtedly intended to be an uncomfortable experience.

    The short film, which premiered in Montreal as part of the International
    Documentary Festival this week, explains how big business has the capacity
    to use artificial intelligence programs and facial recognition software to
    track and monitor the emotions of its users.

    But he does this by using the same technology against the viewers of the
    film. "It uses facial emotion recognition AI to watch you back. So it
    analyzes your face as you react to content it shows you," explained
    Levenson.

    "So, the film uses the camera in your device to make you the star of the
    film."

    ------------------------------

    Date: Wed, 5 Feb 2020 00:58:38 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Photo Roulette on the App Store

    In Photo Roulette you compete with your friends to quickly guess whose photo
    is shown! Play with random photos from you (sic) and your friends' phones in
    this social and exciting Photo Roulette game! Feel the thrill before each
    picture and share the hilarious moments that occur with the pictures of your
    friends and family!

    https://apps.apple.com/us/app/photo-roulette/id1050443738

    Nevermind someone hacking your phone for pictures, play the game and see
    what's distributed.

    ------------------------------

    Date: Fri, 7 Feb 2020 12:26:13 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The 'race to 5G' is a myth (WEForum)

    EXCERPT:

    Telecommunications providers relentlessly extol the power of
    fifth-generation (5G) wireless technology. Government officials and policy
    advocates fret that the winner of the "5G race" will dominate the Internet
    of the future, so America cannot afford to lose out. Pundits declare that 5G
    will revolutionize the digital world.

    <https://www.weforum.org/agenda/2018...o-become-even-more-interconnected-here-s-how/>
    <https://www.cnn.com/2020/01/24/perspectives/america-china-5g-race/index.html>
    <https://www.weforum.org/agenda/2019/01/here-s-how-5g-will-revolutionize-the-digital-world/>

    It all sounds very thrilling. Unfortunately, the hype has gone too far. 5G
    systems will, over time, replace today's 4G, just as next year's iPhone 12
    will improve on this year's 11. 5G networks offer significantly greater
    transmission capacity. However, despite all the hype, they won't represent a
    radical break from the current mobile experience. First of all, the "race
    to 5G" is a myth. 5G is a marketing term for a family of technologies, which
    carriers can stretch to cover a variety of networks. The technical standards
    are still under development
    <https://www.brookings.edu/research/5g-in-five-not-so-easy-pieces/>, so what
    counts as "true" 5G is arguable. As with 4G, the 5G rollout will take years,
    as carriers upgrade their networks with new gear and users buy new
    phones. Just as they do today, connections will fall back to slower speeds
    when users aren't near enough to a tower, or if the network is overloaded.
    There's no magic moment when a carrier, or a nation, "has" 5G.

    Even if there was a race, it's over: South Korea and China have already
    built <https://www.cnn.com/2019/11/01/tech/5g-china/index.html> much more
    extensive 5G networks than the United States. But that shouldn't be cause
    for panic. Customers in those countries may have a leg up on faster
    connections, but that doesn't necessarily create a sustainable strategic
    advantage. Romania is one of 10 countries with significantly faster
    <https://www.speedtest.net/global-index> average fixed broadband connections
    than America today, yet no one in Washington seems concerned that will give
    Romanian firms a dominant advantage. The major tech platforms delivering
    innovative digital services to the world are still based in the United
    States and China. There are important concerns
    <https://www.cnn.com/2019/12/05/tech/huawei-us-ban-lawsuit/index.html> about
    the Chinese networking firm Huawei creating backdoors for surveillance or
    tilting the carrier equipment market toward Chinese-defined standards. Your
    5G user experience, however, won't depend on who makes the gear in the guts
    of the network. The overheated rhetoric is based on the misconception that
    5G heralds a new era of services for end-users. In reality, the claimed
    performance -- hundreds of megabits or even gigabits per second
    -- is misleading. Averages and ideal numbers mask huge variations
    depending <https://www.cnn.com/2019/08/09/tech/5g-review/index.html> on
    distance to an antenna, obstructions, weather and other factors. The fastest
    speeds require "millimeter wave" spectrum, which doesn't penetrate walls or
    foliage well, and is generally less reliable than the lower frequencies used
    today. Millimeter wave requires a much denser network of antennas, which
    could be cost-prohibitive outside dense urban areas. Even if that hurdle is
    overcome, a gigabit per second to millions of phones requires a network able
    to move traffic at that speed end-to-end, which doesn't exist today. [...]

    https://www.cnn.com/2020/02/03/perspectives/5g-disruption/index.html

    ------------------------------

    Date: Thu, 6 Feb 2020 18:57:47 -0700
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Not all fun and memes: What's the trouble with TikTok? (CBC)

    https://www.cbc.ca/news/technology/tiktok-criticism-expansion-in-canada-1.5336375
    It's been a bad week for TikTok.

    The Chinese-owned video-sharing app, wildly popular with teens, was forced
    to issue a rare public statement about its data security practices and
    whether it censors content on behalf of Beijing.

    In short, TikTok said it can be trusted with its users' data and that it
    doesn't delete videos just because of "sensitivities related to China." But
    that's done little to quiet the app's increasingly vocal critics who worry
    the platform, with its short lip-sync and comedy videos, is the latest
    example of Beijing's overseas intelligence-gathering operation.

    Toronto-based privacy advocate Ann Cavoukian told CBC News she is skeptical
    of TikTok's defence, because "surveillance among the Chinese is non-stop."

    ------------------------------

    Date: Fri, 7 Feb 2020 12:25:16 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Night Sky Will Never Be the Same (The Atlantic)

    *If Elon Musk has his way, thousands of bright artificial lights will
    streak through the dark*
    EXCERPT:

    Last year, Krzysztof Stanek got a letter from one of his neighbors. The
    neighbor wanted to build a shed two feet taller than local regulations
    allowed, and the city required him to notify nearby residents. Neighbors,
    the notice said, could object to the construction. No one did, and the shed
    went up.

    Stanek, an astronomer at Ohio State University, told me this story not
    because he thinks other people will care about the specific construction
    codes of Columbus, Ohio, but rather because it reminds him of the network of
    satellites SpaceX is building in the space around Earth. ``Somebody puts up
    a shed that might obstruct my view by a foot, I can protest. But somebody
    can launch thousands of satellites in the sky and there's nothing I can do?
    As a citizen of Earth, I was like, *Wait a minute*.''

    Since last spring, SpaceX has launched into orbit dozens of small
    satellites -- the beginnings of Starlink, a floating scaffold that the
    company's founder, Elon Musk, hopes will someday provide high-speed
    Internet to every part of the world.
    <https://www.theatlantic.com/science/archive/2019/05/spacex-satellites-starlink/590269/>

    SpaceX sent a letter too, in a way. After filing for permission to build
    its constellation in space, federal regulators held the required comment
    period, open to the public, before the first satellites could launch.

    These satellites have turned out to be far more reflective than anyone, even
    SpaceX engineers, expected. Before Starlink, there were about 200 objects in
    orbit around Earth that could be seen with the unaided eye. In less than a
    year, SpaceX has added another 240. ``These are brighter than probably 99
    percent of existing objects in Earth orbit right now,'' says Pat Seitzer, a
    professor emeritus at the University of Michigan who studies orbital
    debris. For months, astronomers have shared images online of their
    telescopes' fields of view with diagonal white streaks cutting across the
    darkness, the distinct appearance of Starlink satellites. More satellites
    are now on the way, both from SpaceX and other companies. If, as Musk hopes,
    these satellites number in the tens of thousands, ignoring them will be
    difficult, whether you're an astronomer or not.

    In some ways, these satellites pose a familiar problem, a matter of managing
    the competing interests that scientists, commercial companies, and the
    public might have in a limited natural resource. But the use of outer space
    -- particularly the part in close vicinity to our planet -- has never been
    tested quite like this before. For most of history, scientists, particularly
    those who observe the cosmos on visible wavelengths, have had relatively
    little competition for access to the sky. Passing satellites were considered
    nuisances and sometimes wrecked data, but they were rare. Some astronomers
    are now calling for legal action but even those who wouldn't push that far
    describe Starlink's satellites as a wake-up call: What happens when new and
    powerful neighbors have a distinct -- and potentially disruptive -- plan for
    a place you value?...
    <https://room.eu.com/news/legal-acti...op-starlink-ruining-the-night-say-astronomers>,

    [...]
    https://www.theatlantic.com/science/archive/2020/02/spacex-starlink-astronomy/606169/

    ------------------------------

    Date: Fri, 7 Feb 2020 11:14:15 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boeing's Starliner space capsule suffered a second software
    glitch during December test flight (WashPost)

    Boeing's Starliner space capsule suffered a second software glitch during
    December test flight

    https://www.washingtonpost.com/tech...-software-glitch-during-december-test-flight/

    ------------------------------

    Date: Thu, 6 Feb 2020 14:33:07 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boeing Refuses to Cooperate With New Inquiry into Deadly Crash
    (NYTimes)

    https://www.nytimes.com/2020/02/06/business/boeing-737-inquiry.html

    In both the Max accidents and the 2009 crash, which involved a 737 NG,
    Boeing’s design decisions allowed a single malfunctioning sensor to trigger
    a powerful computer command, even though the plane was equipped with two
    sensors. For both models, the company had determined that if a sensor
    failed, pilots would recognize the problem and recover the plane. But Boeing
    did not provide pilots with key information that could have helped them
    counteract the automation error.

    After the 2009 crash, regulators required airlines to install a software
    update for the NG that allowed comparison of data from the two available
    sensors — much the same fix that Boeing has now proposed for the Max. In the
    case of the NG, Boeing had developed a software update before the 2009
    accident, but it wasn't compatible with all existing models, including the
    jet that crashed near Amsterdam.

    ------------------------------

    Date: Mon, 10 Feb 2020 08:17:07 -0500
    From: Jan Wolitzky <jan.w...@gmail.com>
    Subject: NASA Shares Initial Findings from Boeing Starliner Orbital Flight
    Test Investigation (NASA)

    https://blogs.nasa.gov/commercialcr...-starliner-orbital-flight-test-investigation/

    ------------------------------

    Date: Wed, 5 Feb 2020 11:04:31 +0100
    From: Terje Mathisen <terje....@tmsw.no>
    Subject: Re: Boeing 737s can't land facing west (RISKS-31.54)

    I think this data item, along with the very limited number of identified
    problematic runways provide a strong clue:

    The flight software splits the circle into quadrants, then for at least one
    quadrant boundary the logic to determine which one is broken, i.e.
    something like

    if (angle < 270.0) quadrant = 3;
    else if (angle > 270.0) quadrant = 4;

    For these particular runways, the planners had enough freedom to be allowed
    to place each runway exactly where they wanted and decided to draw a
    perfectly straight line <E-W> using RTK GPS surveying so that the actual
    direction is 270 degrees exactly, while on all the other "Runway 27"s
    (approx) in the world which have been certified for 737 landings, there is a
    small but sufficient angular offset.

    I would have expected such an error to also happen in the opposite direction
    though, that's why I'm guessing at individual code for each boundary.

    ------------------------------

    From: "3daygoaty" <threed...@gmail.com>
    Date: Wed, 5 Feb 2020 11:11:12 +1100
    Subject: Re: 99 smartphones ... (RISKS-31.56)

    This involved 99 real smart phones running the Google maps app. Can the
    same effect be achieved by simulating the phones on fewer- or one- physical
    device(s)? How easy is it then to tell Google Maps you are somewhere you
    actually aren't?

    The hack looks like it could be used to flock self-driving cars away from
    some route or alternatively, funnel them into some sort of trap.
    Self-driving cars likely being rather posh cars might be desirable for car
    jacking, say.

    The service that allows the authorities to get all green lights driving
    across the city for the movement of sensitive freight, high profile people
    or prisoners - I would presume their route is fixed and not subject to
    traffic? Gerry Adams came to Melbourne. They organised 5 routes from the
    airport to a certain Irish pub. At the last minute they picked one of
    them. Can I use the above hack to route Gerry where I want him?

    ------------------------------

    Date: Wed, 05 Feb 2020 23:18:06 -0500
    From: JC Cantrell <j...@cantrell2.org>
    Subject: Re: 99 smartphones ,,, (RISKS-31.56)

    I smell a small business opportunity here.

    Got too much traffic on your street? Waze leading others to contribute to
    your traffic headaches?

    Hire me! I have the wagon, can get the old phones and, for the right price,
    will walk your streets at rush hour! Guaranteed to reduce traffic by 10, 20,
    or even 30 percent!

    Now I just have to subcontract this, but being in California with recent
    independent contractor classification troubles, let's just call the whole
    thing off.

    Another one of my grand schemes shot down.

    ------------------------------

    Date: Thu, 6 Feb 2020 11:40:31 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Re: Artificial intelligence-created medicine to be used on humans
    for first time (RISKS-31.56)

    AI assisted with a small part of drug discovery, not quite the breakthrough
    suggested by the press.

    https://blogs.sciencemag.org/pipeline/archives/2020/01/31/another-ai-generated-drug

    ------------------------------

    Date: Tue, 04 Feb 2020 16:07:52 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: AI-created medicine to be used on humans (Stein, R 31.56)

    Perhaps they should run the first tests on another AI.

    "Typically, drug development takes about five years to get to trial"; here
    "trial" means the first class action suit.

    Remember the principle: "An AI for an AI".

    [Richard Stein replied:

    Henry -- A good aphorism. Nothing like algorithmic retribution --
    recursive payback. I favor "Dog Fooding" in this case. Would the
    pharmaceutical company's investors or employees subject their children
    to the clinical trial if they qualified as candidates? RS]

    ------------------------------

    Date: 4 Feb 2020 17:43:54 -0500
    From: "John R. Levine" <jo...@iecc.com>
    Subject: Re: Election Security At The Chip Level (SemiEngineering, RISKS-31.56)

    Where I live, they have the info you provided when you registered which
    includes your signature and usually height and eye color which the election
    officials check. (I used to be one.) The officials are mostly retired local
    folks, and often know who you are anyway. Very low tech but pretty
    effective.

    Despite endless disinformation to the contrary, in-person voter fraud is not
    a problem and never has been. If you think about it for two minutes, it's
    about the worst possible way to steal an election, one vote at a time with
    each vote subject to challenge. Sensible people steal an election by
    bribing the officials so when the polls close they stuff the box full of
    enough ballots to ensure that the correct candidate wins.

    For an excellent discussion of this technique, read Robert Caro's "Means of
    Ascent" which is mostly about how Lyndon Johnson won the 1948 primary that
    put him in the Senate. It includes a long interview with the guy who had
    the ballot box.

    ------------------------------

    Date: Tue, 4 Feb 2020 22:22:53 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Should Automakers Be Responsible for Accidents? (Levine,
    RISKS-31.56)

    And parking tickets imposing automaker liability:

    Sorry sir, we've remotely disabled your car, now that it's legally parked in
    your garage. Please complete the attached agreement committing to better
    behavior, so that we may restore your driving privileges at the end of next
    month.

    On 2/4/2020 5:07 PM, John Levine wrote:
    > In article <16.CMM.0.90.4.1580237212.risko@chiron.csl.sri.com7592> you write:
    >> What a strange scheme:
    >>
    >> Automaker enterprise liability would have useful incentives that driver
    >> liability law misses.
    >> https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf
    > I can hardly wait:
    >
    > "Sorry, sir, you've had three moving violations so we'll have to ask
    > you to leave the showroom now."

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.57
    ************************
     
  9. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.57

    RISKS List Owner

    Feb 10, 2020 8:16 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 10 February 2020 Volume 31 : Issue 57

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Backhoes, squirrels, and woodpeckers as DoS vectors (Richard Forno)
    Benjamin Netanyahu's election app potentially exposed data for every Israeli
    voter (WashPost)
    The app that broke the Iowa caucus, an inside look (CNET)
    Tesla Remotely Removes Autopilot Features From Customer's Used Tesla
    Without Any Notice (Clean Technica)
    Recent Car Thefts May Be Related To Carsharing App Getaround, Warns
    D.C. Attorney General (DCist)
    SSL Certificates are expiring... (Cryptography)
    Nasty Linux, macOS sudo bug found and fixed (ZDNet)
    Cisco Flaws Put Millions of Workplace Devices at Risk (WiReD)
    Data leakage from portable versions of Open Office and Libre Office
    (Arthur T.)
    Facebook's Bug Bounty Caught a Data-Stealing Spree (WiReD)
    The `manosphere' is getting more toxic as angry men join the incels
    (MIT Tech Review)
    Explainable AI (Chris Els=C3=A4sser)
    Read the FBI's Damning Case Against the Recently Arrested Nintendo Hacker
    (Vice)
    Who owns your feelings? Short doc shows how big tech uses AI to track
    emotions (CBC)
    Photo Roulette on the App Store (Gabe Goldberg)
    The 'race to 5G' is a myth (WEForum)
    Not all fun and memes: What's the trouble with TikTok? (CBC)
    The Night Sky Will Never Be the Same (The Atlantic)
    Boeing's Starliner space capsule suffered a second software
    glitch during December test flight (WashPost)
    Boeing Refuses to Cooperate With New Inquiry into Deadly Crash (NYTimes)
    NASA Shares Initial Findings from Boeing Starliner Orbital Flight Test
    Investigation (NASA)
    Re: Boeing 737s can't land facing west (Terje Mathisen)
    Re: 99 smartphones ... (3daygoaty, JC Cantrell)
    Re: Artificial intelligence-created medicine to be used on humans for
    first time (Mark Thorson)
    Re: AI-created medicine to be used on humans (Henry Baker)
    Re: Election Security At The Chip Level (John R. Levine)
    Re: Should Automakers Be Responsible for Accidents? (Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 10 Feb 2020 08:53:28 -0500
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: Backhoes, squirrels, and woodpeckers as DoS vectors

    [The video shows] a wireless antenna in California. Network coverage was
    disrupted by an Acorn woodpecker, a 3-ounce bird stashing an estimated 35-50
    gallons/300lbs of acorns.



    Social media have been attributing this to squirrels for a long time. I
    of course try to correct people anytime I see this. It just proves that
    attribution can be really difficult. RF

    [We have had numerous squirrel and a few notable backhoe stories in the
    RISKS archives. But woodpeckers also have had their opportunities, e.g.,
    in RISKS-17.16: ``Woodpeckers could delay shuttle.'' Furthermore, I note
    that the quote "If builders built houses the way programmers write
    programs, the first woodpecker that came along would destroy
    civilization." managed to peck its way into *three* different issues,
    RISKS-10.07 (June 1990), 23.74 (Feb 2005), and 28.21 (August 2014), so
    they keep coming back. A hardy bunch, these woodpeckers. They really get
    around. Indeed, they really get a round hole where there are not even any
    square pegs. PGN]

    ------------------------------

    Date: Mon, 10 Feb 2020 08:36:47 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Benjamin Netanyahu's election app potentially exposed data for
    every Israeli voter (WashPost)

    https://www.washingtonpost.com/worl...f606c0-4bfe-11ea-967b-e074d302c7d4_story.html

    ------------------------------

    Date: Thu, 6 Feb 2020 16:45:00 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The app that broke the Iowa caucus, an inside look (CNET)

    *A cybersecurity company got hold of the code for Shadow, the app used in
    the Iowa caucus, and spoke to CNET about what it found*

    EXCERPT:

    Results from Monday's Iowa caucus were delayed for days because of problems
    with a smartphone app used to tabulate and report results, causing chaos and
    frustration among campaigns and voters. A reported coding issue caused the
    app to only report out partial data, Iowa Democratic Chairman Troy Price
    said in a statement.

    <As Iowa caucuses arrive, Facebook has a trust problem>
    <Switch to new tech mucks up Iowa caucus results>
    <Iowa caucus app debacle: What went wrong? Here's what we know so far>

    Cybersecurity company Blue Hexagon obtained a copy of the app, created by a
    company called Shadow, Inc. Blue Hexagon's head of cyberthreat intelligence
    and operations, Irfan Asrar, spoke with CNET's Dan Patterson about what went
    wrong and the overarching cybersecurity concerns this presents for the rest
    of the 2020 election.
    <>
    <The scariest hacks and vulnerabilities of 2019 | ZDNet>

    Blue Hexagon is still diagnosing exactly why the app failed. But the final
    version of the app has several problems within the code, including links to
    people's personal websites, Asrar said. "What we believe is, this is an
    oversight, and an example of the app being rushed into production," he
    added. The larger concern is that the app was so easy to obtain, which
    means anyone could access the infrastructure supporting it and potentially
    cause damage, Asrar said.

    Watch the video for the full interview
    <Inside Shadow: An exclusive look at the mobile app that broke the Iowa caucus - Video>
    and more insight into the Shadow, Inc. app. [...]
    The app that broke the Iowa caucus: An inside look

    [The whole situation smells of gross incompetence, trust in flaky
    outsourcing, lack of assurance, testing, and many other problems long
    considered in RISKS. If every computer system is simply badly conceived
    and ultimately flawed and compromisable internally or externally, why
    would you expect anything else here?

    In addition to all of the above, Rachel Maddow had on her 6 Feb 2020 show
    a reprise of the massive denial of service in 2002 in the New Hampshire
    election for Sununu that disrupted telephone banks intending to get out
    the vote for Democrats. This exact DoS was repeated by the Reps in 2020
    to totally disrupt the Iowa caucus after the Dems turned to phone lines to
    call in the results. This kind of disruption is clearly out of control,
    even with the Dem's having overprovisioned their servers. PGN]

    ------------------------------

    Date: Mon, 10 Feb 2020 08:54:45 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Tesla Remotely Removes Autopilot Features From Customer's Used
    Tesla Without Any Notice (Clean Technica)

    EXCERPT:

    One of the less-considered side effects of car features moving from
    hardware to software is that important features and abilities of a car can
    now be removed without any actual contact with a given car. Where once
    de-contenting involved at least a screwdriver (or, if you were in a hurry,
    a hammer), now thousands of dollars of options can vanish with the click of
    a mouse somewhere. And that's exactly what happened to one Tesla owner,
    and, it seems many others.

    Alec (I'll withhold his last name for privacy reasons) bought a 2017 Tesla
    Model S on December 20 of last year, from a third-party dealer who bought
    the car directly from Tesla via auction on November 15, 2019. The car was
    sold at auction as a result of a California Lemon Law buyback, as the car
    suffered from a well-known issue where the center-stack screen developed a
    noticeable yellow border.
    <Tesla Rolls Out UV Light Fix For Yellowing Screen Border | CleanTechnica>

    When the dealer bought the car at auction from Tesla on November 15, it was
    optioned with both Enhanced Autopilot and Tesla's confusingly-named Full
    Self Driving Capability
    together, these options totaled $8,000. You can see them right on the
    Monroney sticker for the car:...
    <Tesla Is Still Using the Phrase 'Full Self-Driving' to Describe Its Cars Even Though It's Wrong>
    Tesla Remotely Removes Autopilot Features From Customer's Used Tesla Without Any Notice [Updated]

    ------------------------------

    Date: Wed, 5 Feb 2020 18:05:36 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Recent Car Thefts May Be Related To Carsharing App Getaround,
    Warns D.C. Attorney General (DCist)

    “Vehicles listed on Getaround could be at increased risk of theft because
    keys are left inside of the car and the car’s location is visible to anyone
    searching the platform,” according to a release from the OAG.

    Recent Car Thefts May Be Related To Carsharing App Getaround, Warns D.C. Attorney General | DCist

    Ya think?

    ------------------------------

    Date: February 1, 2020 at 9:08:55 AM GMT+9
    From: Henry Baker <hba...@pipeline.com>
    Subject: SSL Certificates are expiring... (Cryptography)

    ``Forget the Y2K bug, "things" are starting to break as SSL Certificates
    start expiring.''

    Several authority certificates are expiring:
    5/30/2020
    6/21/2020
    9/22/2020
    12/31/2020

    IoT -- Internet of Expired Certificates.

    Perfectly good HW, but with firmware that can't be updated.

    I just hope that implantable medical devices can have their builtin
    certificates updated!

    I wonder how many "smart" *cars* will stop running when their builtin SSL
    certificates expire?

    Problems: bad hash functions (MDx,SHA1) are also causing certificate
    problems even though the RSA algorithm -- even at 1024 bits -- still seems
    to be holding.

    ------------------------------

    Date: Wed, 5 Feb 2020 01:02:54 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Nasty Linux, macOS sudo bug found and fixed (ZDNet)

    Sudo is a very popular, very simple Unix-system sysadmin application. It
    enables users to switch identities for the purpose of running a single
    command. Usually, but not always, it lets you run a command as the root,
    system administrator, user. Sudo's easy to abuse, but it's so darn useful,
    until it's not. A recently discovered sudo bug once more spells out why you
    should be wary of this command.

    In this latest security hole, CVE-2019-18634, Apple Information Security
    researcher Joe Vennix discovered that if the "pwfeedback" option is enabled
    in your sudoers configuration file, any user, even one who can't run sudo or
    is listed in the sudoers file, can crack a system.

    Nasty Linux, macOS sudo bug found and fixed | ZDNet

    ------------------------------

    Date: Fri, 7 Feb 2020 10:32:15 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cisco Flaws Put Millions of Workplace Devices at Risk (WiReD)

    To exploit the bugs, attackers would first need a foothold inside a target's
    network, but from there they could fan out quickly, compromising one
    vulnerable Cisco device after another to bore deeper into a system. And once
    attackers controlled a switch or router they could start to intercept
    unencrypted network data, like files and some communications, or access a
    company's *active directory*, which manages authentication for users and
    devices.

    ``It's still hop by hop. As a hacker, you still need an initial attack vector
    into the network,'' says Ang Cui, founder of the IoT security firm Red
    Balloon, who has disclosed numerous Cisco bugs. ``But once you’re there, at
    each hop you have the same vulnerability present -- all the switches,
    firewalls, and routers in a network could be affected by this. So you're
    going to have to own a lot of devices, but once you own all of them you've
    literally taken over every single piece of the network.''

    Cisco Flaws Put Millions of Workplace Devices at Risk

    ------------------------------

    Date: Fri, 07 Feb 2020 01:06:34 -0500
    From: "Arthur T." <risks2020...@xoxy.net>
    Subject: Data leakage from portable versions of Open Office and Libre Office

    Note: this post is Windows-centric. I'm not sure if a similar problem occurs
    on other platforms.

    Many people run the portable version of Office (Open or Libre) from a
    specific location (such as a thumb drive) in order to keep all data off of
    other locations (such as the C: drive). This might not be working as
    expected.

    One of the first things one does in such a case is verify the locations of
    default files, temp files, etc. The temp files location is a few directories
    down from %temp% (or maybe %tmp%) and probably on C:. So one changes it to a
    directory on the same drive where Office resides. Unfortunately, that
    doesn't work. More unfortunately, Office doesn't tell you that it didn't
    work.

    My first indication was that when I restarted the program, its temp
    directory had reverted to within %temp%. I thought that, even though it
    remembered other changes, it somehow wasn't remembering that one.

    In fact, it's more sinister. Not only is it not remembering it, it's not
    using the updated location. When it starts, it immediately creates files in
    its temp directory, and it keeps using that same directory until Office is
    closed, regardless of what you type in as an override once the program is
    running. Really, it shouldn't let you type an override in for that
    directory, so you'd know it can't be overridden.

    I use Open Office, but web searches suggest: that Libre Office has the same
    problem, that it has existed for a long time, and that it has not been
    fixed.

    For myself, I created a .bat file to reset temp and tmp before starting Open
    Office, and that appears to fix the problem. My .bat file to run Office from
    drive E: is:

    setlocal
    set tmp=e:\temp
    set temp=e:\temp
    start "Open Office on E" "e:\Program
    Files\OpenOffice\OpenOfficePortable.exe"
    endlocal

    ------------------------------

    Date: Sun, 9 Feb 2020 21:29:23 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facebook's Bug Bounty Caught a Data-Stealing Spree (WiReD)

    A few months ago, the company disclosed that apps were siphoning data from
    up to 9.5 million of its users. It only found out thanks to a bug bounty
    submission.

    Facebook's Bug Bounty Caught a Data-Stealing Spree

    ------------------------------

    Date: Sat, 8 Feb 2020 11:42:35 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: The `manosphere' is getting more toxic as angry men join the incels
    (MIT Tech Review)

    Men from the less extreme end of the misogynistic spectrum are drifting
    toward groups that espouse violence against women, a new study suggests.

    https://www.technologyreview.com/s/...ting-more-toxic-as-angry-men-join-the-incels/

    ------------------------------

    From: Chris Els=C3=A4sser <chris.e...@comcast.net>
    Date: Thu, Feb 6, 2020 at 11:55 AM
    Subject: Explainable AI

    Geoff, Looking over your recent posts on IS & RISKS, I noticed this at the end
    (probably from MIT Tech Review):

    Ehsan is part of a small but growing group of researchers trying to make AIs
    better at explaining themselves, to help us look inside the black box. The
    aim of so-called interpretable or explainable AI (XAI) is to help people
    understand what features in the data a neural network is actually learning
    -- and thus whether the resulting model is accurate and unbiased. [=A6]

    Once again, AI is reinvented!

    But first, it would be nice if the Tech Review writer (Douglas Heaven) knew
    that *interpretable* and *explainable* are not the same thing.

    Second, it would be nice if the writer looked at the extensive literature on
    explanation in AI systems; goes back to the great-grandparent of AI systems,
    MYCIN, and its explanation subsystem. [note: MYCIN's `certainty factors'
    were soon supplanted at Stanford by Bayes networks]

    Per Geoff Hinton, Deep learning NNs are approximations of (full) Bayesian
    classifiers. Explanation of Bayesian inference has long been seen to be in
    need of `explanation' (or perhaps `convincing' :)) because human reason
    under uncertainty has often been found to deviate from Bayesian inference
    (which is provably optimal).

    The earliest reference to explanation of Bayesian inference I've found is
    the following (and it should be obvious why I looked no further ;-)):

    Elsaesser, Christopher (1987) Explanation of Probabilistic Inference for
    Decision Support Systems *Proceedings of the Third Conference on
    Uncertainty in Artificial Intelligence (UAI-87),* Morgan Kaufmann, San
    Francisco, CA.

    That paper reported work I did for my PhD thesis at Carnegie Mellon. My
    techniques were substantially improved and extended by Merek Druzdzel. For
    example:

    Henrion, M. and M. J. Druzdzel (1990). Qualitative and linguistic
    explanations of probabilistic reasoning in belief networks. Proceedings of
    the Sixth Conference on Uncertainty in Artificial Intelligence, pages 10-20
    Cambridge, MA, Association for Uncertainty in AI.

    NOT that re-invention is not worthwhile. Just that at least in this case
    its nothing new. :)

    ------------------------------

    Date: Tue, 4 Feb 2020 18:03:22 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Read the FBI's Damning Case Against the Recently Arrested Nintendo
    Hacker (Vice)

    The hacker who stole from Nintendo for years bragged about it online, and
    didn't even try to hide his real name or activities.

    https://www.vice.com/en_us/article/...against-the-recently-arrested-nintendo-hacker

    ------------------------------

    Date: Thu, 6 Feb 2020 18:55:58 -0700
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Who owns your feelings? Short doc shows how big tech uses AI to
    track emotions (CBC)

    https://www.cbc.ca/news/canada/montreal/stealing-ur-feelings-1.5362954

    Watching Noah Levenson's short documentary Stealing Ur Feelings is
    undoubtedly intended to be an uncomfortable experience.

    The short film, which premiered in Montreal as part of the International
    Documentary Festival this week, explains how big business has the capacity
    to use artificial intelligence programs and facial recognition software to
    track and monitor the emotions of its users.

    But he does this by using the same technology against the viewers of the
    film. "It uses facial emotion recognition AI to watch you back. So it
    analyzes your face as you react to content it shows you," explained
    Levenson.

    "So, the film uses the camera in your device to make you the star of the
    film."

    ------------------------------

    Date: Wed, 5 Feb 2020 00:58:38 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Photo Roulette on the App Store

    In Photo Roulette you compete with your friends to quickly guess whose photo
    is shown! Play with random photos from you (sic) and your friends' phones in
    this social and exciting Photo Roulette game! Feel the thrill before each
    picture and share the hilarious moments that occur with the pictures of your
    friends and family!

    https://apps.apple.com/us/app/photo-roulette/id1050443738

    Nevermind someone hacking your phone for pictures, play the game and see
    what's distributed.

    ------------------------------

    Date: Fri, 7 Feb 2020 12:26:13 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The 'race to 5G' is a myth (WEForum)

    EXCERPT:

    Telecommunications providers relentlessly extol the power of
    fifth-generation (5G) wireless technology. Government officials and policy
    advocates fret that the winner of the "5G race" will dominate the Internet
    of the future, so America cannot afford to lose out. Pundits declare that 5G
    will revolutionize the digital world.

    <https://www.weforum.org/agenda/2018...o-become-even-more-interconnected-here-s-how/>
    <https://www.cnn.com/2020/01/24/perspectives/america-china-5g-race/index.html>
    <https://www.weforum.org/agenda/2019/01/here-s-how-5g-will-revolutionize-the-digital-world/>

    It all sounds very thrilling. Unfortunately, the hype has gone too far. 5G
    systems will, over time, replace today's 4G, just as next year's iPhone 12
    will improve on this year's 11. 5G networks offer significantly greater
    transmission capacity. However, despite all the hype, they won't represent a
    radical break from the current mobile experience. First of all, the "race
    to 5G" is a myth. 5G is a marketing term for a family of technologies, which
    carriers can stretch to cover a variety of networks. The technical standards
    are still under development
    <https://www.brookings.edu/research/5g-in-five-not-so-easy-pieces/>, so what
    counts as "true" 5G is arguable. As with 4G, the 5G rollout will take years,
    as carriers upgrade their networks with new gear and users buy new
    phones. Just as they do today, connections will fall back to slower speeds
    when users aren't near enough to a tower, or if the network is overloaded.
    There's no magic moment when a carrier, or a nation, "has" 5G.

    Even if there was a race, it's over: South Korea and China have already
    built <https://www.cnn.com/2019/11/01/tech/5g-china/index.html> much more
    extensive 5G networks than the United States. But that shouldn't be cause
    for panic. Customers in those countries may have a leg up on faster
    connections, but that doesn't necessarily create a sustainable strategic
    advantage. Romania is one of 10 countries with significantly faster
    <https://www.speedtest.net/global-index> average fixed broadband connections
    than America today, yet no one in Washington seems concerned that will give
    Romanian firms a dominant advantage. The major tech platforms delivering
    innovative digital services to the world are still based in the United
    States and China. There are important concerns
    <https://www.cnn.com/2019/12/05/tech/huawei-us-ban-lawsuit/index.html> about
    the Chinese networking firm Huawei creating backdoors for surveillance or
    tilting the carrier equipment market toward Chinese-defined standards. Your
    5G user experience, however, won't depend on who makes the gear in the guts
    of the network. The overheated rhetoric is based on the misconception that
    5G heralds a new era of services for end-users. In reality, the claimed
    performance -- hundreds of megabits or even gigabits per second
    -- is misleading. Averages and ideal numbers mask huge variations
    depending <https://www.cnn.com/2019/08/09/tech/5g-review/index.html> on
    distance to an antenna, obstructions, weather and other factors. The fastest
    speeds require "millimeter wave" spectrum, which doesn't penetrate walls or
    foliage well, and is generally less reliable than the lower frequencies used
    today. Millimeter wave requires a much denser network of antennas, which
    could be cost-prohibitive outside dense urban areas. Even if that hurdle is
    overcome, a gigabit per second to millions of phones requires a network able
    to move traffic at that speed end-to-end, which doesn't exist today. [...]

    https://www.cnn.com/2020/02/03/perspectives/5g-disruption/index.html

    ------------------------------

    Date: Thu, 6 Feb 2020 18:57:47 -0700
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Not all fun and memes: What's the trouble with TikTok? (CBC)

    https://www.cbc.ca/news/technology/tiktok-criticism-expansion-in-canada-1.5336375
    It's been a bad week for TikTok.

    The Chinese-owned video-sharing app, wildly popular with teens, was forced
    to issue a rare public statement about its data security practices and
    whether it censors content on behalf of Beijing.

    In short, TikTok said it can be trusted with its users' data and that it
    doesn't delete videos just because of "sensitivities related to China." But
    that's done little to quiet the app's increasingly vocal critics who worry
    the platform, with its short lip-sync and comedy videos, is the latest
    example of Beijing's overseas intelligence-gathering operation.

    Toronto-based privacy advocate Ann Cavoukian told CBC News she is skeptical
    of TikTok's defence, because "surveillance among the Chinese is non-stop."

    ------------------------------

    Date: Fri, 7 Feb 2020 12:25:16 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Night Sky Will Never Be the Same (The Atlantic)

    *If Elon Musk has his way, thousands of bright artificial lights will
    streak through the dark*
    EXCERPT:

    Last year, Krzysztof Stanek got a letter from one of his neighbors. The
    neighbor wanted to build a shed two feet taller than local regulations
    allowed, and the city required him to notify nearby residents. Neighbors,
    the notice said, could object to the construction. No one did, and the shed
    went up.

    Stanek, an astronomer at Ohio State University, told me this story not
    because he thinks other people will care about the specific construction
    codes of Columbus, Ohio, but rather because it reminds him of the network of
    satellites SpaceX is building in the space around Earth. ``Somebody puts up
    a shed that might obstruct my view by a foot, I can protest. But somebody
    can launch thousands of satellites in the sky and there's nothing I can do?
    As a citizen of Earth, I was like, *Wait a minute*.''

    Since last spring, SpaceX has launched into orbit dozens of small
    satellites -- the beginnings of Starlink, a floating scaffold that the
    company's founder, Elon Musk, hopes will someday provide high-speed
    Internet to every part of the world.
    <https://www.theatlantic.com/science/archive/2019/05/spacex-satellites-starlink/590269/>

    SpaceX sent a letter too, in a way. After filing for permission to build
    its constellation in space, federal regulators held the required comment
    period, open to the public, before the first satellites could launch.

    These satellites have turned out to be far more reflective than anyone, even
    SpaceX engineers, expected. Before Starlink, there were about 200 objects in
    orbit around Earth that could be seen with the unaided eye. In less than a
    year, SpaceX has added another 240. ``These are brighter than probably 99
    percent of existing objects in Earth orbit right now,'' says Pat Seitzer, a
    professor emeritus at the University of Michigan who studies orbital
    debris. For months, astronomers have shared images online of their
    telescopes' fields of view with diagonal white streaks cutting across the
    darkness, the distinct appearance of Starlink satellites. More satellites
    are now on the way, both from SpaceX and other companies. If, as Musk hopes,
    these satellites number in the tens of thousands, ignoring them will be
    difficult, whether you're an astronomer or not.

    In some ways, these satellites pose a familiar problem, a matter of managing
    the competing interests that scientists, commercial companies, and the
    public might have in a limited natural resource. But the use of outer space
    -- particularly the part in close vicinity to our planet -- has never been
    tested quite like this before. For most of history, scientists, particularly
    those who observe the cosmos on visible wavelengths, have had relatively
    little competition for access to the sky. Passing satellites were considered
    nuisances and sometimes wrecked data, but they were rare. Some astronomers
    are now calling for legal action but even those who wouldn't push that far
    describe Starlink's satellites as a wake-up call: What happens when new and
    powerful neighbors have a distinct -- and potentially disruptive -- plan for
    a place you value?...
    <https://room.eu.com/news/legal-acti...op-starlink-ruining-the-night-say-astronomers>,

    [...]
    https://www.theatlantic.com/science/archive/2020/02/spacex-starlink-astronomy/606169/

    ------------------------------

    Date: Fri, 7 Feb 2020 11:14:15 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boeing's Starliner space capsule suffered a second software
    glitch during December test flight (WashPost)

    Boeing's Starliner space capsule suffered a second software glitch during
    December test flight

    https://www.washingtonpost.com/tech...-software-glitch-during-december-test-flight/

    ------------------------------

    Date: Thu, 6 Feb 2020 14:33:07 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boeing Refuses to Cooperate With New Inquiry into Deadly Crash
    (NYTimes)

    https://www.nytimes.com/2020/02/06/business/boeing-737-inquiry.html

    In both the Max accidents and the 2009 crash, which involved a 737 NG,
    Boeing’s design decisions allowed a single malfunctioning sensor to trigger
    a powerful computer command, even though the plane was equipped with two
    sensors. For both models, the company had determined that if a sensor
    failed, pilots would recognize the problem and recover the plane. But Boeing
    did not provide pilots with key information that could have helped them
    counteract the automation error.

    After the 2009 crash, regulators required airlines to install a software
    update for the NG that allowed comparison of data from the two available
    sensors — much the same fix that Boeing has now proposed for the Max. In the
    case of the NG, Boeing had developed a software update before the 2009
    accident, but it wasn't compatible with all existing models, including the
    jet that crashed near Amsterdam.

    ------------------------------

    Date: Mon, 10 Feb 2020 08:17:07 -0500
    From: Jan Wolitzky <jan.w...@gmail.com>
    Subject: NASA Shares Initial Findings from Boeing Starliner Orbital Flight
    Test Investigation (NASA)

    https://blogs.nasa.gov/commercialcr...-starliner-orbital-flight-test-investigation/

    ------------------------------

    Date: Wed, 5 Feb 2020 11:04:31 +0100
    From: Terje Mathisen <terje....@tmsw.no>
    Subject: Re: Boeing 737s can't land facing west (RISKS-31.54)

    I think this data item, along with the very limited number of identified
    problematic runways provide a strong clue:

    The flight software splits the circle into quadrants, then for at least one
    quadrant boundary the logic to determine which one is broken, i.e.
    something like

    if (angle < 270.0) quadrant = 3;
    else if (angle > 270.0) quadrant = 4;

    For these particular runways, the planners had enough freedom to be allowed
    to place each runway exactly where they wanted and decided to draw a
    perfectly straight line <E-W> using RTK GPS surveying so that the actual
    direction is 270 degrees exactly, while on all the other "Runway 27"s
    (approx) in the world which have been certified for 737 landings, there is a
    small but sufficient angular offset.

    I would have expected such an error to also happen in the opposite direction
    though, that's why I'm guessing at individual code for each boundary.

    ------------------------------

    From: "3daygoaty" <threed...@gmail.com>
    Date: Wed, 5 Feb 2020 11:11:12 +1100
    Subject: Re: 99 smartphones ... (RISKS-31.56)

    This involved 99 real smart phones running the Google maps app. Can the
    same effect be achieved by simulating the phones on fewer- or one- physical
    device(s)? How easy is it then to tell Google Maps you are somewhere you
    actually aren't?

    The hack looks like it could be used to flock self-driving cars away from
    some route or alternatively, funnel them into some sort of trap.
    Self-driving cars likely being rather posh cars might be desirable for car
    jacking, say.

    The service that allows the authorities to get all green lights driving
    across the city for the movement of sensitive freight, high profile people
    or prisoners - I would presume their route is fixed and not subject to
    traffic? Gerry Adams came to Melbourne. They organised 5 routes from the
    airport to a certain Irish pub. At the last minute they picked one of
    them. Can I use the above hack to route Gerry where I want him?

    ------------------------------

    Date: Wed, 05 Feb 2020 23:18:06 -0500
    From: JC Cantrell <j...@cantrell2.org>
    Subject: Re: 99 smartphones ,,, (RISKS-31.56)

    I smell a small business opportunity here.

    Got too much traffic on your street? Waze leading others to contribute to
    your traffic headaches?

    Hire me! I have the wagon, can get the old phones and, for the right price,
    will walk your streets at rush hour! Guaranteed to reduce traffic by 10, 20,
    or even 30 percent!

    Now I just have to subcontract this, but being in California with recent
    independent contractor classification troubles, let's just call the whole
    thing off.

    Another one of my grand schemes shot down.

    ------------------------------

    Date: Thu, 6 Feb 2020 11:40:31 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Re: Artificial intelligence-created medicine to be used on humans
    for first time (RISKS-31.56)

    AI assisted with a small part of drug discovery, not quite the breakthrough
    suggested by the press.

    https://blogs.sciencemag.org/pipeline/archives/2020/01/31/another-ai-generated-drug

    ------------------------------

    Date: Tue, 04 Feb 2020 16:07:52 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: AI-created medicine to be used on humans (Stein, R 31.56)

    Perhaps they should run the first tests on another AI.

    "Typically, drug development takes about five years to get to trial"; here
    "trial" means the first class action suit.

    Remember the principle: "An AI for an AI".

    [Richard Stein replied:

    Henry -- A good aphorism. Nothing like algorithmic retribution --
    recursive payback. I favor "Dog Fooding" in this case. Would the
    pharmaceutical company's investors or employees subject their children
    to the clinical trial if they qualified as candidates? RS]

    ------------------------------

    Date: 4 Feb 2020 17:43:54 -0500
    From: "John R. Levine" <jo...@iecc.com>
    Subject: Re: Election Security At The Chip Level (SemiEngineering, RISKS-31.56)

    Where I live, they have the info you provided when you registered which
    includes your signature and usually height and eye color which the election
    officials check. (I used to be one.) The officials are mostly retired local
    folks, and often know who you are anyway. Very low tech but pretty
    effective.

    Despite endless disinformation to the contrary, in-person voter fraud is not
    a problem and never has been. If you think about it for two minutes, it's
    about the worst possible way to steal an election, one vote at a time with
    each vote subject to challenge. Sensible people steal an election by
    bribing the officials so when the polls close they stuff the box full of
    enough ballots to ensure that the correct candidate wins.

    For an excellent discussion of this technique, read Robert Caro's "Means of
    Ascent" which is mostly about how Lyndon Johnson won the 1948 primary that
    put him in the Senate. It includes a long interview with the guy who had
    the ballot box.

    ------------------------------

    Date: Tue, 4 Feb 2020 22:22:53 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Should Automakers Be Responsible for Accidents? (Levine,
    RISKS-31.56)

    And parking tickets imposing automaker liability:

    Sorry sir, we've remotely disabled your car, now that it's legally parked in
    your garage. Please complete the attached agreement committing to better
    behavior, so that we may restore your driving privileges at the end of next
    month.

    On 2/4/2020 5:07 PM, John Levine wrote:
    > In article <16.CMM.0.90.4.1580237212.risko@chiron.csl.sri.com7592> you write:
    >> What a strange scheme:
    >>
    >> Automaker enterprise liability would have useful incentives that driver
    >> liability law misses.
    >> https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf
    > I can hardly wait:
    >
    > "Sorry, sir, you've had three moving violations so we'll have to ask
    > you to leave the showroom now."

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.57
    ************************
     
  10. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.58

    RISKS List Owner

    Feb 15, 2020 9:21 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 15 February 2020 Volume 31 : Issue 58

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The Intelligence Coup of the Century: For decades, the CIA read the
    encrypted communications of allies and adversaries (Greg Miller)
    The US Fears Huawei Because It Knows How Tempting Backdoors Are (WIRED)
    U.S. Charges Chinese Military Officers in 2017 Equifax Hacking (NYTimes)
    Voatz: Ballots, Blockchains, and Boo-boos? (MIT via PGN retitling)
    Lax FAA oversight allowed Southwest to put millions of
    passengers at risk, IG says (WashPost)
    Pentagon ordered to halt work on Microsoft's JEDI cloud contract after
    Amazon protests (WashPost)
    Linux is ready for the end of time (ZDNet)
    Google redraws the borders on maps depending on who's looking (WashPost)
    Car renter paired car to FordPass, could still control car long after return
    (ZDNet)
    European Parliament urges oversight for AI (Politico Europe)
    AI can create new problems as it solves old ones (Fortune)
    AI and Ethics (NJ Tech Weekly)
    The future of software testing in 2020: Here's what's coming (Functionize)
    Will Past Criminals Reoffend? Humans Are Terrible at Guessing, and Computers
    Aren't Much Better (Scientific American)
    Apple joins FIDO Alliance, commits to getting rid of passwords (ZDNet)
    IRS paper forms vs. COVID-19 (Dan Jacobson)
    The Politics of Epistemic Fragmentation (Medium)
    Why Is Social Media So Addictive? (Mark D. Griffiths)
    The high cost of a free coding bootcamp (The Verge)
    Debunking the lone woodpecker theory (Ed Ravin)
    Re: Benjamin Netanyahu's election app potentially exposed data for
    every Israeli voter (Amos Shapir)
    Re: Backhoes, squirrels, and woodpeckers as DoS vectors (Tom Russ)
    Re: A lazy fix 20 years ago means the Y2K bug is taking down computers, now
    (Martin Ward)
    Re: Autonomous vehicles (Stephen Mason)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 11 Feb 2020 08:53:12 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The Intelligence Coup of the Century: For decades, the CIA read the
    encrypted communications of allies and adversaries (Greg Miller)

    Greg Miller, *The Washington Post*, 11 Feb 2020
    <https://www.washingtonpost.com/grap...ity/cia-crypto-encryption-machines-espionage/>

    For more than half a century, governments all over the world trusted a
    single company to keep the communications of their spies, soldiers and
    diplomats secret. That company was secretly run by the CIA, which had the
    ability to read all those communications for decades.

    The company, Crypto AG, got its first break with a contract to build
    code-making machines for U.S. troops during World War II. Flush with cash,
    it became a dominant maker of encryption devices for decades, navigating
    waves of technology from mechanical gears to electronic circuits and,
    finally, silicon chips and software.

    The Swiss firm made millions of dollars selling equipment to more than 120
    countries well into the 21st century. Its clients included Iran, military
    juntas in Latin America, nuclear rivals India and Pakistan, and even the
    Vatican.

    But what none of its customers ever knew was that Crypto AG was secretly
    owned by the CIA in a highly classified partnership with West German
    intelligence. These spy agencies rigged the company's devices so they could
    easily break the codes that countries used to send encrypted messages.

    The decades-long arrangement, among the most closely guarded secrets of the
    Cold War, is laid bare in a classified, comprehensive CIA history of the
    operation obtained by The Washington Post and ZDF, a German public
    broadcaster, in a joint reporting project.

    The account identifies the CIA officers who ran the program and the
    company executives entrusted to execute it. It traces the origin of the
    venture as well as the internal conflicts that nearly derailed it. It
    describes ho the U.S. and its allies exploited other nations' gullibility
    for years, taking their money and stealing their secrets.

    The operation, known first as `Thesaurus' and later `Rubicon', ranks among
    the most audacious in CIA history.

    [Very long, but remarkably illuminating item abridged for RISKS. PGN]

    ------------------------------

    Date: Thu, 13 Feb 2020 19:04:06 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The US Fears Huawei Because It Knows How Tempting Backdoors Are
    (WIRED)

    The US Fears Huawei Because It Knows How Tempting Backdoors Are

    [See also
    The US says Huawei has been spying through 'back doors' designed for law enforcement — which is what the US has been pressuring tech companies to do for years
    PGN]

    ------------------------------

    Date: Mon, 10 Feb 2020 14:17:46 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. Charges Chinese Military Officers in 2017 Equifax Hacking
    (NYTimes)

    U.S. Charges Chinese Military Officers in 2017 Equifax Hacking

    https://www.washingtonpost.com/nati...a1f7be-4c13-11ea-bf44-f5043eb3918a_story.html

    [Let's not forget the massive loss of personal data from the attack on the
    Office of Personnel Management. which might be even more damaging.
    Reported (for example) in RISKS-28.69,70,71,72,75,80,83,94,95,96 in 2015.
    PGN]

    ------------------------------

    Date: Thu, 13 Feb 2020 17:01:05 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Voatz: Ballots, Blockchains, and Boo-boos? (MIT via PGN retitling)

    This is an outstanding paper.

    Michael A. Specter, James Koppel, Daniel Weitzner (MIT)
    The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz,
    the First Internet Voting Application Used in U.S. Federal Elections
    https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf

    See also some of the subsequent items:

    "Their security analysis of the application, called Voatz, pinpoints a
    number of weaknesses, including the opportunity for hackers to alter, stop,
    or expose how an individual user has voted."
    MIT researchers identify security vulnerabilities in voting app

    Voting on Your Phone: New Elections App Ignites Security Debate,
    *The New York Times*, 13 Feb 2020
    https://www.nytimes.com/2020/02/13/us/politics/voting-smartphone-app.html

    Kim Zetter
    https://www.vice.com/en_us/article/...-in-four-states-has-elementary-security-flaws

    The general consensus seems to be that Voatz's responses neither address
    their criticisms more give any reasonable assurance.

    https://blog.voatz.com/?p=1209
    https://www.prnewswire.com/news-releases/new-york-times-profiles-voatz-301004581.html

    ------------------------------

    Date: Tue, 11 Feb 2020 19:33:16 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Lax FAA oversight allowed Southwest to put millions of
    passengers at risk, IG says (WashPost)

    https://www.washingtonpost.com/loca...fdb714-4d22-11ea-b721-9f4cdc90bc1c_story.html

    [That's "lax", not "LAX". PGN]

    "The Federal Aviation Administration allowed Southwest Airlines to put
    millions of passengers at risk by letting the airline operate planes that
    did not meet U.S. aviation standards and by failing to provide its own
    inspectors with the training needed to ensure the highest degree of safety,
    according to a report released Tuesday by the Department of Transportation's
    inspector general."

    The flying public experiences elevated risk when FAA inspectors are not
    qualified or are under-trained to competently fulfill mandated
    assignments. Trust but verify rigor is required to ensure life-critical
    operational readiness. Coffee cup inspections don't cut it.

    "The FAA's overreliance on industry-provided risk assessments and failure to
    dig deeply into many of those assessments is a broader concern raised by
    several outside experts and reviews following the crashes of two Boeing 737
    Max jets that killed 346 people..."

    See http://catless.ncl.ac.uk/Risks/31/17#subj2.1 for an expose' on industry
    self-regulation efforts, and why the US government promotes the
    practice. Alternatively, the EU's precautionary measures regulatory approach
    might reduce the frequency of disruptive brand outrage incidents and
    declining product orders.

    ------------------------------

    Date: Fri, 14 Feb 2020 10:17:27 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Pentagon ordered to halt work on Microsoft's JEDI cloud contract
    after Amazon protests (WashPost)

    A lawsuit brought by Amazon has forced the Pentagon to again pump the brakes
    on an advanced cloud computing system it sought for years, prompting yet
    another delay the military says will hurt U.S. troops and hinder its
    national security mission.

    A federal judge Thursday ordered the Pentagon to halt work on the Joint
    Enterprise Defense Infrastructure cloud computing network, known as JEDI, as
    the court considers allegations that President Trump improperly interfered
    in the bidding process.

    The order comes just one day before the Defense Department had planned to
    ``go live'' with what it has long argued is a crucial national defense
    priority.

    https://www.washingtonpost.com/busi...ts-jedi-cloud-contract-after-amazon-protests/

    Halt work? ...one day before? ...a crucial national defense priority?
    Politicize technology decisions? Sounds about right.

    ------------------------------

    Date: Fri, 14 Feb 2020 10:21:08 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Linux is ready for the end of time (ZDNet)

    2038 is for Linux what Y2K was for mainframe and PC computing in 2000, but
    the fixes are underway to make sure all goes well when that fatal time rolls
    around. ...

    But look at this way: After we fix this, we won't have to worry about 64-bit
    Linux running out of seconds until 15:30:08 GMT Sunday, December 4,
    29,227,702,659. Personally, I'm not going to worry about that one.

    https://www.zdnet.com/article/linux-is-ready-for-the-end-of-time/

    ------------------------------

    Date: Fri, 14 Feb 2020 12:21:04 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Google redraws the borders on maps depending on who's looking
    (WashPost)

    Dynamic map border revisions: a catastrophic recipe for navigation errors
    and munitions deployment.

    ------------------------------

    Date: Fri, 14 Feb 2020 17:53:13 -0500
    From: Mary M Shaw <mary...@cs.cmu.edu>
    Subject: Car renter paired car to FordPass, could still control car long after
    return (ZDNet)

    Someone rented a Ford from Enterprise and paired it with FordPass to get
    remote control. Five months later he could still start and stop the engine,
    lock and unlock the car, and track it -- remotely. Same thing happened to
    him a second time.

    Recent piece in ZDNet
    https://www.zdnet.com/article/he-re...o-he-can-still-turn-the-engine-on-via-an-app/

    Earlier report in Ars Technica

    Text of ZDNet article ...

    *He returned the rental car long ago. He can still turn the engine on via an
    app*

    Imagine you've parked your rental car and are walking away. Suddenly, the
    car starts up, seemingly on its own. Yes, it's another day in technology
    making everything better. ...

    You think we're living in the end of times?

    No, this is just a transitional period between relative sanity and robot
    inanity.

    The problem, of course, is that our deep, mindless reliance on technology is
    causing severe disruption.

    I'm moved to this fortune cookie thought by the tale of a man who rented a
    Ford Expedition from Enterprise. He gave it back and, five months later, he
    discovered that he could still start its engine, switch it off, lock and
    unlock it and even track it. Remotely, that is.

    You see,as Ars Technica described last October
    <https://arstechnica.com/information...ning-rental-car-man-still-has-remote-control/>,
    Masamba Sinclair had connected his rental car to FordPass, an app that's
    presumably very useful. Who wouldn't want to remotely unlock the doors of a
    car someone else is renting? Just to imagine their faces, you understand. It
    so happened that Sinclair hadn't unpaired his app from the car. Cue the
    absurdity.

    At the time, I thought Sinclair's tale entertaining. But surely the app's
    vulnerability would be patched, secured or whatever technical verbal emoji
    you might choose.

    Yet Sinclair just rented another Ford -- this time, a Mustang. And what do
    you know, four days after he'd returned it, he could still make the car do
    things from his phone. Which could have been a touch bemusing to anyone who
    happened to have subsequently rented it.
    <https://arstechnica.com/information...-remote-control-long-after-cars-are-returned/>

    It seems that Ford does offer warning notifications inside the car when it's
    paired with someone's phone.

    Yet if subsequent renters or, indeed, the rental company's cleaners don't
    react to such notifications -- or simply don't see them -- a random somebody
    who happens to still have an app paired to the car may incite some remote
    action, like a ghostly jump start.

    You might think Sinclair should have already disconnected his app from any
    car he'd previously rented. Some might grunt, though, that it shouldn't be
    his responsibility.

    For its part, Enterprise gave Ars a statement that began: "The safety and
    privacy of our customers is an important priority for us as a company." An
    important priority, but not the most important priority?

    The company added: "Following the outreach last fall, we updated our car
    cleaning guidelines related to our master reset procedure. Additionally, we
    instituted a frequent secondary audit process in coordination with Ford. We
    also started working with Ford and are very near the completion of testing
    software with them that will automate the prevention of FordPass pairing by
    rental customers."

    Here's the part that always make me curl up on my sofa and offer
    intermittent bleats. Why is it that when technologies such as these are
    implemented, the creators don't sufficiently consider the potential
    consequences and prevent them from happening?

    If Sinclair could so easily keep his app paired to any Ford he'd rented --
    and this surely doesn't just apply to Fords -- why wasn't it easy for the
    Ford and/or Enterprise to ensure it couldn't happen?

    Why does it take a customer to point out the patent insecurity of the system
    before companies actually do anything about it?

    Perhaps one should be grateful that at least nothing grave occurred. But
    imagine if someone of brittle brains realized they could be the ghost in a
    machine and really scare a stranger.

    Too often, tech companies place the onus on customers to work things out for
    themselves and even to save themselves. Or, worse, to only discover a breach
    when it's too late.

    Wouldn't it be bracing if tech companies, I don't know, showed a little
    responsibility in advance?

    ------------------------------

    Date: Thu, 13 Feb 2020 10:08:23 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: European Parliament urges oversight for AI (Politico Europe)

    Lawmakers in Strasbourg adopted a resolution calling for strong oversight of
    artificial intelligence technology, approving the text by hand vote while
    rejecting six potential amendments.
    <https://www.europarl.europa.eu/doceo/document/B-9-2020-0094_EN.pdf>

    The document, which was adopted by the Parliament's Committee on Internal
    Market and Consumer Protection (IMCO) late last month, marks the first time
    since new lawmakers were elected last year that the assembly takes a
    position on what kind of safeguards are needed for automated decision-making
    processes. It comes as political leaders at the European Commission, the
    EU's executive body, are set to initiate far-reaching legislation on
    artificial intelligence next week.

    ------------------------------

    Date: Fri, 14 Feb 2020 18:51:07 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: AI can create new problems as it solves old ones (Fortune)

    Some of the world's biggest companies are relying on AI to build a better
    workforce. But be warned: The tech can create new problems even as it
    solves old ones. ...

    In his Amsterdam offices, about an hour's drive from his company's largest
    non-American ketchup factory, Pieter Schalkwijk spends his days crunching
    data about his colleagues. And trying to recruit more: As head of Kraft
    Heinz's talent acquisition for Europe, the Middle East, and Africa,
    Schalkwijk is responsible for finding the right additions to his region's
    5,600-person team.

    It's a high-volume task. Recently, for an entry-level trainee program,
    Schalkwijk received 12,000 applications -- for 40 to 50 openings. Which is
    why, starting in the fall of 2018, thousands of recent university graduates
    each spent half an hour playing video games. ``I think the younger
    generation is a bit more open to this way of recruiting,'' Schalkwijk says.

    The games were cognitive and behavioral tests developed by startup
    Pymetrics, which uses artificial intelligence to assess the personality
    traits of job candidates. One game asked players to inflate balloons by
    tapping their keyboard space bar, collecting (fake) money for each hit until
    they chose to cash in—or until the balloon burst, destroying the
    payoff. (Traits evaluated: appetite for and approach to risk.) Another
    measured memory and concentration, asking players to remember and repeat
    increasingly long sequences of numbers. Other games registered how generous
    and trusting (or skeptical) applicants might be, giving them more fake money
    and asking whether they wanted to share any with virtual partners. [...]

    Still, he too is proceeding cautiously. For example, Kraft Heinz will likely
    never make all potential hires play the Pymetrics games. ``For generations
    that haven't grown up gaming, there's still a risk'' of age discrimination,
    Schalkwijk says.

    He's reserving judgment on the effectiveness of Pymetrics until this
    summer's performance reviews, when he'll get the first full assessment of
    whether this machine-assisted class of recruits is better or worse than
    previous, human-hired ones. The performance reviews will be data-driven but
    conducted by managers with recent training in avoiding unconscious
    bias. There's a limit to what the company will delegate to the machines.

    AI ``can help us and it will help us, but we need to keep checking that it's
    doing the right thing, Humans will still be involved for quite some time to
    come.''

    https://fortune.com/longform/hr-technology-ai-hiring-recruitment/

    But ... how can it work without quantum computing hosted blockchain?

    ------------------------------

    Date: Thu, 13 Feb 2020 07:06:49 -0500
    From: DrM <not...@mindspring.com>
    Subject: AI and Ethics (NJ Tech Weekly)

    https://njtechweekly.com/ai-and-ethics-part-1-will-vulnerable-ai-disrupt-the-2020-elections/

    [We're doomed... Rebecca Mercuri]

    ------------------------------

    Date: Wed, 12 Feb 2020 18:12:27 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The future of software testing in 2020: Here's what's coming
    (Functionize)

    Artificial intelligence and machine learning aren't the only changes to
    expect in QA, but they're a big part of it.

    https://www.functionize.com/blog/the-future-of-software-testing-in-2020-heres-whats-coming/

    ------------------------------

    Date: Fri, 14 Feb 2020 15:21:07 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Will Past Criminals Reoffend? Humans Are Terrible at Guessing,
    and Computers Aren't Much Better (Scientific American)

    https://www.scientificamerican.com/...-at-guessing-and-computers-arent-much-better/

    "Although all of the researchers agreed that algorithms should be applied
    cautiously and not blindly trusted, tools such as COMPAS and LSI-R are
    already widely used in the criminal justice system. 'I call it techno
    utopia, this idea that technology just solves our problems,' Farid says. 'If
    the past 20 years have taught us anything, [they] should have taught us that
    that is simply not true.'"

    In "Talking to Strangers: What We Should Know about the People We Don't
    Know," Malcolm Gladwell discusses judges during an arraignment hearing to
    determine "own recognizance release," or to imprison a suspect based on
    numerous factors. What tips a judge's decision to release or hold?

    Judges study prior criminal history, the crime, eyeball the suspect, etc. Do
    they always make a correct determination? No. News reports tragically
    document instances when a judge mistakenly interprets a suspect's public
    safety assessment, should the suspect commit a crime while on bail and
    caught.

    https://www.govtech.com/public-safe...Use-of-Algorithms-to-Determine-Bail-Risk.html
    discusses algorithmic public safety assessments which can assist judicial
    bail decisions.

    Risk: State or Federal legislation that establishes algorithmic priority
    over human judicial ruling.

    ------------------------------

    Date: Wed, 12 Feb 2020 18:07:46 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple joins FIDO Alliance, commits to getting rid of passwords (ZDNet)

    Passwords are a notorious security mess. The FIDO Alliance wants to replace
    them with better, more secure technology and now Apple is it them in this
    effort.

    https://www.zdnet.com/article/apple-joins-fido-alliance-commits-to-getting-rid-of-passwords/

    ...I wonder about non-tech people reacting to and adopting this...

    ------------------------------

    Date: Fri, 14 Feb 2020 12:50:16 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: IRS paper forms vs. COVID-19

    In some cases* the US IRS still accepts only paper tax forms. Compare this
    to the government's FBAR form, which can be filed only electronically.
    But in some COVID-19 areas, paper mail is no longer an option...
    * E.g., Form 5329, when filed separately.

    ------------------------------

    Date: Wed, 12 Feb 2020 18:49:02 -0500
    From: John Ohno <john...@gmail.com>
    Subject: The Politics of Epistemic Fragmentation (Medium)



    Over the past few years, it has seemed as though the only thing real news
    outlets can agree on is the danger of *fake news*.

    Foreign powers or domestic traitors are accused of engineering political
    divisions, creating *polarization*, and seeding arbitrary disinformation for
    the sole purpose of making it impossible for people from different
    subcultures to communicate. This is blamed on the Internet (and, more
    specifically, social media) -- and there is some truth to this accusation.
    However, as is often the case with new communication technologies, social
    media has not accelerated this tendency towards disinformation so much as it
    has made it more visible and legible.
    <https://modernmythology.net/contra-...ds_link&sk=3Dc0aed65c0f5befe2a1e241efd8d695e3>

    When widespread Internet access broke down our sense of a collective
    reality, what it was toppling was not the legacy of the Enlightenment, but
    instead an approximately 100-year bubble in media centralization. Current
    norms around meaning-making cannot survive the slow collision with
    widespread private ownership of duplication & broadcast technologies.

    These norms are built around an assumption that consensus is normal and
    desirable among people who communicate with each other -- in other words,
    that whenever people calmly and rationally communicate, they will come to an
    understanding about base reality. This ignores the role of power relations
    in communication: in modern, liberal contexts, the party that can perform
    calm diplomatic rationality the best will win, and the best way to remain
    calm and diplomatic is to know that if you fail in your attempts at
    diplomacy, a technically advanced army will continue that diplomacy through
    more direct means. It also ignores the potential value of ideas (including
    myths) to people who do not fully understand their mechanism of action --
    what the rationalist community calls *Chesterton's Fence*.

    Just as we benefit from medical innovations like SSRIs and anesthesia
    without knowing how or why they work, many cultures benefit from beliefs
    that aren't grounded in observation, deduction, or strong evidence that
    they correspond to base reality -- but, rather, by the fact that everybody
    who didn't hold those beliefs eventually died for reasons that remain
    obscure.

    In situations of extreme cosmopolitanism, where people from different
    cultures and environments communicate on equal terms, there will be
    disagreements that cannot be dismissed as merely aesthetic preferences or
    historical relics -- but that nevertheless cannot be worked out through
    debate or discussion, simply because discovering their material bases is a
    project of immense complexity.

    Epistemic fragmentation -- the tendency for different people to have
    different sources of knowledge and different, often conflicting,
    understandings -- is irreducible, and epistemic centralization -- the
    centralized control of shared sources of information -- cannot provide a
    universally-applicable shared understanding of the world.

    We should be wary of attempts to solve this problem through `trust in
    institutions' -- in other words, through a return to the epistemic
    centralization that characterized the twentieth century.

    This epistemic centralization was produced by tight control over broadcast
    communication -- organizations were `trusted' because they had the power
    (through reserves of capital, ownership of expensive equipment, and/or
    explicit government support) to reach many people with the same messages,
    but they were not `trustworthy' in the sense that they did not (and could
    not) accurately report on reality. While plenty of these organizations
    worked in good faith to be responsible and accurate, no handful of
    organizations has the manpower to report upon and fact check everything
    important.

    Organizational or institutional meaning-making is a slightly scaled-up form
    of individual meaning-making.

    An institution provides a structure for organizing individual work, and
    this structure organizes flows of resources and information.

    These flows control what information can be expressed externally by
    enforcing broadcast norms, house style, determining what sections are
    allocated to what topics and determining what counts as newsworthy based on
    whether or not it fits into any of these topics, and so on; they control
    what information can be expressed internally, based on norms about
    professional communication, expectations about shared spaces (like DC
    reporters socializing after-hours in particular bars, or tech and culture
    beat journalists socializing on twitter where strict character counts force
    a terse style), and social hierarchy and stigma around covering particular
    topics; they control what material can even be effectively researched
    through the control of resources like travel expenses, deadline length, and
    materials for stunt-reporting.

    All of these actions are essentially filters: they prevent journalists from
    researching and reporting on a wide variety of things they would like to
    cover, while producing incentives to cover a handful of specific things.
    Because of this, no institution can produce better-quality meaning (i.e.,
    meaning formed by serious consideration of a wider variety of sources) than
    the individuals working for it could produce under a looser confederation,
    assuming the resources necessary for access remained available.

    Consensus reality is merely a side effect of ignoring or erasing the pieces
    that cannot be made legible and cannot be made to fit any narrative or
    model -- and this erasure is political, in the sense that it shapes what can
    be imagined and what can be spoken about.

    We cannot effectively consider topics we are not allowed to discuss; we
    cannot make good personal decisions about topics we cannot effectively
    consider; we cannot make good collective decisions on topics about which we
    cannot make good personal decisions; therefore, the soft-censorship
    necessitated by the limited resources of the centralized meaning-making
    that engineers the illusion of consensus reality prevents politics from
    effectively addressing problems that affect only a few but that require
    mass action and solidarity to solve
    <>
    .

    The private supplementation of centralized shared knowledge is insufficient.

    The twentieth century model of broadcast media is an extension of earlier
    models of (print-based) publishing: in the beginning, printing presses and
    radio stations are expensive and a handful of early experimenters create
    content for a handful of early adopters; as equipment costs drop, more
    people get into the market, leading to a push to regulate and
    re-centralize helmed
    on one side by the biggest players in the market and on the other by folks
    who are concerned about signal-to-noise ratio.

    This leads to self-enforced standards -- rules for journalism, for instance
    -- along with state-enforced measures to create a `legitimate' class and
    separate it from `illegitimate' amateurs -- copyright, spectrum
    subdivisions, broadcast content rules.

    Broadcast mechanisms have typically remained expensive, regardless of how
    technology has progressed: prior to widespread Internet access, the
    cheapest broadcast medium (in terms of the ability of an individual of
    modest means to reach many people) was the production of xerox pamphlets --
    tens of cents per copy, plus postage.

    With the Internet, copying has a much lower cost & can be performed without
    the direct, intentional involvement of recipients --what costs do exist can
    be automatically distributed more evenly, rather than being concentrated in
    the hands of some central node.

    (Because of a historical mistake, the web concentrates costs centrally, but
    peer to peer communications technologies do not.)
    <>

    This breaks the economic justification for a tendency toward
    re-centralization in the distribution of information -- a justification that
    had previously made the institutionalization of consensus-making
    unavoidable.

    Prior to widespread literacy and widespread access to oral mass broadcast
    media, consensus-making and meaning-making was a social process rather than
    a parasocial one.

    Time-binding technologies -- mechanisms to permanently record and retrieve
    information, so that information that originated long ago or far away could
    be transmitted without distortion -- were limited to print.

    Writing, in the absence of mass-production technologies, had more of an
    oral aspect to it: while Babylonian kings would manufacture negative molds
    for exactly reprinting laws, manuscripts were largely transcribed by
    students in lecture halls who included the lecturer's asides in their
    transcriptions alongside their own notes, and these modified manuscripts
    would be the basis for later lectures or would be copied by hand. In other
    words, before print, it was rare for even writing to be `broadcast' in the
    sense of a large number of people receiving exactly the same information,
    and before radio, this kind of standardization was not available to the
    illiterate at all.

    In the print age, the intelligentsia got their ideas from the canon of
    great literature and so were capable of groupthink at scale, but their
    illiterate or semi-literate peers were exploring epistemic space together
    in a more organic fashion, without powerful time-binding technology
    tethering them to any baseline.

    The sharedness of their realities mirrored their social connectedness --
    almost always bidirectional, if not even or equitable -- and their social
    graphs mirrored geography (because transport technologies, though they
    could warp transit-space, did not flatten it -- it may be easier to go 100
    miles by train than 10 miles by horse, but it has never become equally easy
    to physically transport oneself to anywhere on earth).

    What the Internet did was to make visible the already-existing alien
    realities of the outgroup and allow faster mutation through the
    cross-pollination of fringe groups.

    Telephony could have done to these oral cultures some of what social media
    has done to our literate culture, had it become common and affordable a
    decade earlier and had party lines remained normal, but charging by the
    minute (with a multiplier for long-distance calls) prevented the telephone
    network from being the basis for the kind of multi-continent perpetual
    hangouts that make the Internet so cosmopolitan -- with the exception of
    phone phreaks, who used exploits to create exactly this kind of community
    behind Bell's back.

    ------------------------------

    Date: Tue, 11 Feb 2020 09:33:13 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Why Is Social Media So Addictive? (Mark D. Griffiths)

    Social media is awful and whatever pleasures it confers in the form of
    mildly amusing memes or a fleeting sense of community/belonging are
    massively outweighed by its well-documented downsides. Their psychic
    consequences are of interest to its owners only in the sense that, past a
    certain threshold, people might turn away from their platforms and cut off
    the endless stream of monetizable private data that sustain their business
    models and corrode conventional ideas about privacy, self-determination,
    etc. [...]

    I guess this is something I believe, though even typing it out is
    embarrassing -- because at this point it's so obvious/trite, and because its
    obviousness/triteness hasn't stopped me or anyone I know from using it.
    Some vague comfort is extractable from the fact that these platforms were
    designed to foster just this kind of behavior, but it might be nice to know
    how, exactly, that end was/is achieved. To that end, for this week's Giz
    Asks <https://gizmodo.com/c/giz-asks> we've reached out to a number of
    experts to find out why social media is so addictive.

    <https://www.ntu.ac.uk/staff-profiles/social-sciences/mark-griffiths>

    Distinguished Professor, Behavioural Addiction, Nottingham Trent University

    https://gizmodo.com/why-is-social-media-so-addictive-1841261494

    ------------------------------

    Date: Tue, 11 Feb 2020 12:14:19 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: The high cost of a free coding bootcamp (The Verge)

    https://www.theverge.com/2020/2/11/21131848/lambda-school-coding-bootcamp-isa-tuition-cost-free

    ------------------------------

    Date: Mon, 10 Feb 2020 22:23:48 -0500
    From: Ed Ravin <era...@panix.com>
    Subject: Debunking the lone woodpecker theory

    Looking up more information about that acorn woodpecker stash, according to
    a couple of sources (especially the Nat Geo article below), an entire family
    of woodpeckers generally works as a team to build their stash, and it might
    have taken them as long as five years to squirrel away that 300-pound load:

    https://www.nationalgeographic.com/news/2015/11/151113-antenna-cache-acorn-woodpecker-california/

    Even more interestingly, that video is from 2009, leading to yet another
    RISK of finding things on the Internet - thinking something you've
    discovered is new just because it's new to you and the source conveniently
    didn't mention any dates on it.

    The "first woodpecker" quote is attributed to Gerald Weinberg, I remember
    that because I checked for a canonical version before putting in my post in
    RISKS-28.21. At the time I thought I was being novel, but I see now that I
    was merely the 3rd person to have that same great idea.

    https://en.wikiquote.org/wiki/Gerald_Weinberg

    ------------------------------

    Date: Wed, 12 Feb 2020 17:06:31 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Benjamin Netanyahu's election app potentially exposed data for
    every Israeli voter (RISKS-31.57)

    While the WP article is technically correct when saying that the app had
    exposed every "registered voter" in Israel, it makes the fault seem a bit
    less severe that it really is. The fact is, voters in Israel do not have to
    register; every citizen over 18 can vote, and is listed automatically. This
    means there is no opting out, everyone is on the exposed list, voting or
    not.

    ------------------------------

    Date: Wed, 12 Feb 2020 16:09:59 -0800
    From: Tom Russ <tar...@google.com>
    Subject: Re: Backhoes, squirrels, and woodpeckers as DoS vectors (R 31 57)

    A colleague points out that a longer video of this was uploaded to YouTube
    in 2009: It identifies the
    location as being Bear Creek Road microwave site. The video is mis-titled
    "Squirrel [sic] fills Antenna with Acorns", but the comments identify a
    woodpecker as the culprit.

    ------------------------------

    Date: Wed, 12 Feb 2020 10:57:21 +0000
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: A lazy fix 20 years ago means the Y2K bug is taking down
    computers, now (New Scientist)

    The two options were: Extend the year field from 2 digits to 4 digits (which
    might have knock-on effects all over the system), or use a "sliding window"
    which would treat all dates whose 2 digit year could be interpreted as up
    to, say, 20 years in the future as actually in the future and not the past.

    In 2020 the sliding window should treat dates "20" to "40" as 2020
    to 2040 while "41" would be interpreted as 1941.

    Another option is simply to pick the closest date to the current date:
    this is approximately equivalent to a 50 year sliding window.

    Implementing a Y2K "fix" which is guaranteed to fail in a few years seems
    insane given that this is exactly the kind of short-sightedness which
    created the Y2K mess in the first place! (Unless it was a cunning plan for
    the programmers to give themselves extra business in 20 years time: like the
    programmer who was implementing a payroll system and programmed the system
    to crash if his name was not found on the payroll!)

    [And there won't be any COBOL programmers around when we hit Year 2100,
    PGN]

    ------------------------------

    Date: Tue, 11 Feb 2020 16:42:09 +0000
    From: Stephen Mason <stephe...@stephenmason.co.uk>
    Subject: Re: Autonomous vehicles (RISKS-31.57)

    Reading through the latest RISKS, I think your readers might be interested
    in the article by Professor Roger Kemp, 'Autonomous vehicles, who will be
    liable for accidents?" -- not quite a legal analysis, but an excellent
    overview of some of the practical issues that do not get discussed very
    often: https://journals.sas.ac.uk/deeslr/issue/view/528

    The books listed below are published on paper and available as open source
    from: https://ials.sas.ac.uk/about/about-us/people/stephen-mason

    Stephen Mason and Daniel Seng, editors, Electronic Evidence (4th edition,
    Institute of Advanced Legal Studies for the SAS Humanities Digital Library,
    School of Advanced Study, University of London, 2017)

    Electronic Signatures in Law (4th edn, Institute of Advanced Legal Studies
    for the SAS Humanities Digital Library, School of Advanced Study, University
    of London, 2016)

    Open source journal: Digital Evidence and Electronic Signature Law Review
    http://dev-ials.sas.ac.uk/digital/i...-evidence-and-electronic-signature-law-review
    (also available via the HeinOnline subscription service)

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.58
    ************************
     
  11. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.59

    RISKS List Owner

    Feb 21, 2020 7:18 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 21 February 2020 Volume 31 : Issue 59

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Bluetooth-Related Flaws Threaten Dozens of Medical Devices (WIRED)
    Electronic voting systems (Ross Anderson)
    Orbital Debris Summary (Aerospace.org)
    Fraud Case in Charleston SC Shines Light on Web's Dark Corners (WSJ)
    Israel Says Hamas Targeted Its Soldiers in Honey Trap's Cyberattack (WSJ)
    Your Doorbell Camera Spied on You. Now What? (NYTimes)
    Sex robots may cause psychological damage (BBC)
    Electrical Tape on Sign Tricked a Tesla Into Speeding in a Test
    (Yahoo Finance)
    Spooky Video shows self-driving cars being tricked by holograms (Inverse)
    Microsoft Surface Battery Fail (Larry Werring)
    Hundreds of Millions of PC Components Still Have Hackable Firmware (WIRED)
    EU Commission white paper On Artificial Intelligence - A European approach
    to excellence and trust (Europa via Diego Latella)
    How smartphone addiction changes your brain: Scans reveal how grey
    matter of tech addicts physically changes shape and size in a similar way
    to drug users (Daily Mail)
    US Govt Warns Critical Industries After Ransomware Hits Gas Pipeline
    Facility (CISA)
    Hackers Are Using the Coronavirus Panic to Spread Malware (Malware Bytes)
    Flywheel owners found out that their bikes were bricked through Peloton
    (The Verge)
    Scientists Warn `Insect Apocalypse' Could Doom Humanity (The Guardian)
    Mysterious GPS outages are wracking the shipping industry (Fortune)
    UN/CCW/GGE documents on Autonomous Weapon Systems (Diego Latella)
    IBM, Marriott, and Mickey Mouse Take on Tech's Favorite Law (David McCabe,
    NYTimes, 4 Feb 2020)
    Re: A lazy fix 20 years ago means the Y2K bug is taking down computers
    (John Levine, Martin Ward)
    Re: Debunking the lone woodpecker theory (Gabe Goldberg)
    My smart car rental was a breeze - until I got trapped in the woods
    (The Guardian)
    Today in sharing economy struggles: our app-powered rental car
    lost cell service on the side of a mountain in rural California and now I
    live here I guess (Kari Paul)
    Re: Car renter paired car to FordPass, could still control car long ...
    (Jeremy Epstein, R. G. Newbury)
    Re: The Intelligence Coup of the Century (David Lesher)
    How the Iowa Caucuses Came Crashing Down (WashPost)
    'The only uncertainty is how long we'll last': a worst-case scenario for
    the climate in 2050 (The Guardian)
    Like Something Out of The Book Of Exodus Locust Armies Are Devouring Entire
    Farms In Kenya In As Little As 30 Seconds (CGTN)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 21 Feb 2020 14:44:48 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bluetooth-Related Flaws Threaten Dozens of Medical Devices (WIRED)

    Hundreds of smart devices -- including pacemakers -- are exposed thanks to a
    series of vulnerabilities in the Bluetooth Low Energy protocol.

    The Bluetooth Special Interest Group, which oversees development of the
    Bluetooth and BLE standards, did not a return a request from WIRED for
    comment about the findings. Bluetooth and BLE implementation issues
    <Bluetooth's Complexity Has Become a Security Risk> are common,
    though, partly because the Bluetooth and BLE standards are massive and
    complex.

    "Some of the vendors we contacted originally, the engineers said, 'Well, the
    reason you're getting these issues is that you're putting in values that are
    not expected, not within the specification,'" Chattopadhyay says. "But you
    can't only be testing for a benign environment. We're talking about an
    attacker here. He doesn't care about what's expected."

    Bluetooth-Related Flaws Threaten Dozens of Medical Devices

    Unfair! Testing unexpected values not in specifications...

    ------------------------------

    Date: Sun, 16 Feb 2020 15:42:04 +0000
    From: Ross Anderson <Ross.A...@cl.cam.ac.uk>
    Subject: Electronic voting systems

    (Note MIT's Voatz item, RISKS-31.58)

    So now both America and Russia have deployed thoroughly unimpressive
    electronic voting systems that claimed to have a blockchain feature.

    Last week at Financial Crypto, Sasha Golovnev talked on Breaking the
    encryption scheme of the Moscow Internet voting system. A new system for
    electronic voting in three wards of the city of Moscow in 2018 had a public
    testing period, in which Sasha and Pierrick Gaudry broke it twice. There was
    no spec, but the source code was put online a day before the first public
    test. It turned out that it used ElGamal encryption with keys under 256
    bits; the encryption was done three times with different keys, and the
    designers were unaware that triple encryption doesn't strengthen ElGamal the
    way it does DES! Their first attack was simple key recovery as CADO-NFS
    could do the discrete logs on a laptop in ten minutes. The election
    authorities changed to 1024-bit ElGamal, whereupon a second attack was
    found: a one-bit leak from a subgroup attack – enough to distinguish between
    the two candidates in the election. The developers denied that this attack
    worked but silently changed the code anyway. There was also an ethereum
    blockchain for vote tallying, which vanished after the election result was
    declared, and the link between the decryption and he blockchain was broken
    when they keysize was increased. Other things were wrong too.

    See http://fc20.ifca.ai/preproceedings/178.pdf

    The link to the liveblog from which this is taken is here:
    FC 2020 | Light Blue Touchpaper

    ------------------------------

    Date: Sun, 16 Feb 2020 10:43:05 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Orbital Debris Summary (Aerospace.org)

    Space Debris and Space Traffic Management | The Aerospace Corporation

    The URL gives a table summarizing the current statistics on orbital space
    debris by size, quantity estimates, collision effect equivalence (hit by a
    bus or a bomb), and whether or not the detritus is track-able.

    Any object less than 5 cm cross-section cannot be tracked. Objects at or
    above 10 cm cross-section are subject to tracking. The catalog for 10 or 10+
    cm debris objects numbers is in the 100s of thousands. I have not found a
    public inventory on the Internet, though space-track.org lists satellite
    records using a standard 2 line summary format that identifies the name and
    their orbital ephemerides.

    An estimated tens of millions of debris objects between 1 mm and 5 cm
    currently orbit Earth at various altitudes.

    ------------------------------

    Date: Mon, 17 Feb 2020 11:45:08 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fraud Case in Charleston SC Shines Light on Web's Dark Corners
    (WSJ)

    Micfo and its founder pleaded not guilty in case revolving around IP
    addresses and the American Registry for Internet Numbers

    WSJ News Exclusive | Fraud Case in Charleston, S.C., Shines Light on Web’s Dark Corners

    ------------------------------

    Date: Mon, 17 Feb 2020 11:51:39 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Israel Says Hamas Targeted Its Soldiers in Honey Trap's Cyberattack
    (WSJ)

    The Israeli military said operatives of the Palestinian militant group Hamas
    targeted its soldiers in a months-long operation that duped them into
    downloading spyware with the false promise of exchanging illicit photos with
    young women.

    Dozens of Israeli soldiers downloaded the spyware, but the scheme was
    detected early enough to prevent important secrets from getting out and the
    Hamas servers hosting the operation were destroyed, the military said on
    Sunday.

    The phishing operation, known as a honey trap, is the third such scheme
    since 2017 and shows how Hamas exploits social media to elicit information
    from enemy soldiers -- and how difficult it is for Israel and others to
    prevent such attacks.

    Israel Says Hamas Targeted Its Soldiers in ‘Honey Trap’ Cyberattack

    ------------------------------

    Date: Thu, 20 Feb 2020 10:22:13 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your Doorbell Camera Spied on You. Now What? (NYTimes)

    Amazon's popular Ring security cameras have gaping security holes. Here's
    how to protect yourself.

    tech fix: Your Doorbell Camera Spied on You. Now What?

    Amazon's popular Ring security cameras have gaping security holes. Here's
    how to protect yourself.

    Has there ever been a tech product more polarizing than Ring?

    The Internet-connected doorbell gadget, which lets you watch live video of
    your front porch through a phone app or website, has gained a reputation as
    the webcam that spies on you and that has failed to protect your data. Yet
    people keep buying it in droves.

    Ring, which is owned by Amazon and based in Santa Monica, Calif., has
    generated its share of headlines, including how the company fired four
    employees over the last four years for watching customers' videos. Last
    month, security researchers also found that Ring's apps contained hidden
    code, which had shared customer data with third-party marketers. And in
    December, hackers hijacked the Ring cameras of multiple families, using the
    devices' speakers to verbally assault some of them.

    This week, Ring announced new protocols to strengthen the security of its
    products, such as mandating two-factor verification, which requires you to
    punch in a temporary code before logging into your account to see your
    footage. A Ring spokeswoman said the company was focused on constantly
    enhancing its security.

    Yet security experts said that Ring had been slow to react and that its
    solutions were weak.

    Your Doorbell Camera Spied on You. Now What?

    ------------------------------

    Date: Mon, 17 Feb 2020 08:44:16 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Sex robots may cause psychological damage (BBC)

    *US researchers have warned that the availability of sex robots with
    artificial intelligence (AI) poses a growing psychological and moral threat
    to individuals and society*

    They say the technology is escaping oversight because agencies are too
    embarrassed to investigate it.
    The scientists want action to prevent the unregulated use of such robots.

    Dr Christine Hendren of Duke University told BBC News that "the stakes were
    high". "Some robots are programmed to protest, to create a rape scenario,
    Some are designed to look like children. One developer of these in Japan is
    a self-confessed paedophile, who says that this device is a prophylactic
    against him ever hurting a real child. But does that normalise and give
    people a chance to practise these behaviours that should be treated by just
    stamping them out?"

    Dr Hendren was speaking at the annual meeting of the American Association
    for the Advancement of Science.

    - New law of robotics: Humans must flourish
    <New law of robotics: Humans must flourish>
    - Call to ban killer robots in wars
    <Call to ban killer robots in wars>
    - Robots adapt to damage in seconds
    <>

    A number of sex robots are advertised online. A US-based firm, Realrobitix,
    has posted a video marketing its Harmony robot for between $8,000 and
    $10,000.

    It is a life-sized doll which can blink and move its eyes and neck, and
    also its lips as it talks. [...]

    Sex robots may cause psychological damage

    ------------------------------

    Date: Wed, 19 Feb 2020 08:48:20 -0800
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Electrical Tape on Sign Tricked a Tesla Into Speeding in a Test
    (Yahoo Finance)

    Researchers were able to trick a Tesla vehicle into speeding by putting a
    strip of electrical tape over a speed limit sign, spotlighting the kinds of
    potential vulnerabilities facing automated driving systems.

    Technicians at McAfee Inc. placed the piece of tape horizontally across the
    middle of the `3' on a 35 mile-per-hour speed limit sign. The change caused
    the vehicle to read the limit as 85 miles per hour, and its cruise control
    system automatically accelerated, according to research released by McAfee
    on Wednesday.

    McAfee says the issue isn't a serious risk to motorists. No one was hurt and
    the researcher behind the wheel was able to safely slow the car.

    But the findings, from 18 months of research that ended last year,
    illustrate a weakness of machine learning systems used in automated driving,
    according to Steve Povolny, head of advanced threat research at
    McAfee. Other research has shown how changes in the physical world can
    confuse such systems. [...]

    https://finance.yahoo.com/news/electrical-tape-sign-tricked-tesla-090000044.html
    https://www.bloomberg.com/news/arti...-sign-tricked-a-tesla-into-speeding-in-a-test

    ------------------------------

    Date: Fri, 21 Feb 2020 13:44:02 +0100
    From: Diego Latella <Diego....@isti.cnr.it>
    Subject: Spooky Video shows self-driving cars being tricked by holograms
    (Inverse)

    https://www.inverse.com/innovation/us-regulators-greenlight-nuros-r2-autonomous-delivery-vehicle

    Hackers can trick a Tesla into accelerating by 50 miles per hour (MIT Tech Rev)

    https://www.technologyreview.com/s/...tesla-into-accelerating-by-50-miles-per-hour/

    ------------------------------

    Date: Tue, 18 Feb 2020 16:00:41 -0500
    From: Larry Werring <lwer...@nrtco.net>
    Subject: Microsoft Surface Battery Fail

    Given the hype about how dangerous lithium batteries can be and the emphasis
    placed by the International Air Travel Association (IATA) and International
    Civil Aviation Organization (ICAO) on the safety of lithium batteries on
    aircraft (https://www.iata.org/en/programs/cargo/dgr/lithium-batteries), I
    am surprised that the recent lithium battery troubles being experienced by
    Microsoft Surface users has not gained more attention.

    I'm being a bit selfish here because I'm one of the users experiencing the
    problem and my interactions with Microsoft technical support have been less
    than satisfactory. A bit of background - I own both a Microsoft Surface Book
    (1st Gen) and a Microsoft Surface Pro 3. Until recently, I considered these
    to be great products. A few weeks ago I noticed that there were signs
    of burn-through occurring near the edge of the screen on my Surface Book. On
    closer examination this past weekend, I noticed that the frame of my Surface
    Book is warped and the screen itself has begun to bulge outwards. Research
    (Google is your friend) led me to discover that there are numerous
    complaints about Microsoft Surface products failing because the lithium
    battery built into them have swollen. These swollen batteries have led
    to cracked/warped screens and the screen almost popping off the
    computer. Unfortunately, these batteries cannot be removed or replaced.

    Armed with this information I contacted Microsoft Customer Support.
    They immediately confirmed that the lithium battery in my Surface Book is
    likely swelling. I was told to immediately stop using and unplug the
    computer because the failed battery could lead to a loss of all my data -
    not because the swollen battery is dangerous but because I might lose my
    data. He also confirmed that the battery cannot be removed or replaced, I
    must dispose of the computer. I asked the technician whether the swelling
    battery was dangerous and could cause a fire or explosion. He denied this
    insisting that only my data was at risk. However, he did say that they would
    send me special packaging so I could SAFELY ship my computer back to
    Microsoft for disposal, this because our Post Office won't ship swollen
    lithium batteries (I wonder why?). He told me my computer is out of
    warranty but did offer to sell me a replacement for $810 CDN. I told him
    that I wasn't paying that much for a 6-year old computer but that I was more
    concerned about the safety issues associated with defective lithium
    batteries. I noted that there are owners of these computers living and
    traveling around the world who could also be unknowingly experiencing
    swelling batteries and, thus, could be at risk, particularly if the device
    is taken on an aircraft. He dismissed my concerns outright saying that
    only my data was at risk.

    I have discovered that there are a lot of folks experiencing the same
    problem (swelling Surface batteries) and that Microsoft has known about the
    problem for a while. The company appears to have chosen to essentially do
    and say nothing about the risks, and there are risks. At least one user
    has reported that the swollen battery in their Surface computer has caught
    fire.
    (https://answers.microsoft.com/en-us...d/cbf0e621-508f-4e71-a45b-ab8c6e7c888b?page=2)

    So, here we have a battery safety issue that, in the past, has resulted in
    at least one major device recall and an outright ban of those devices on
    aircraft. Yet this popular product by Microsoft is experiencing the same
    problems and they choose to say and do nothing. People's property and lives
    could be at risk. Microsoft should man up and recall all affected Surface
    products.
    (https://www.cnet.com/news/galaxy-note-4-refurbished-batteries-recall/)

    As an aside, my Surface Pro 3 doesn't look like the battery is swelling
    (yet) but I've had to disable the touch screen because the mouse cursor
    repeatedly keeps wanting to jump to the same spot. I suspect that there
    may be pressure on the back of the touch screen causing that problem...
    suggesting that its battery may also be beginning to swell. Sooo, two
    Microsoft products are going to be disposed of - before one of them burns my
    house down.

    Heads up people. If you own a Microsoft Surface Book (1st Gen) or a
    Surface Pro 3 or 4, you may have safety problems with the lithium battery.
    Please be diligent. If you own a later Microsoft Surface product, ask
    Microsoft if your device is safe. I believe the risk could be reduced
    in newer products if Microsoft would redesign the internal battery so it can
    easily be removed and replaced at the first sign of problems.
    Considering their price tag, it seems stupid to dispose of a perfectly good
    computer simply because the battery is swelling.

    On that note - I'm off to buy myself a new non-Microsoft laptop...

    ------------------------------

    Date: Tue, 18 Feb 2020 18:11:42 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hundreds of Millions of PC Components Still Have Hackable Firmware
    (WIRED)

    The lax security of supply chain firmware has been a known concern for years
    -- with precious little progress being made.

    https://www.wired.com/story/firmware-hacks-vulnerable-pc-components-peripherals/

    ------------------------------

    Date: Wed, 19 Feb 2020 16:46:49 +0100
    From: Diego Latella <Diego....@isti.cnr.it>
    Subject: EU Commission white paper On Artificial Intelligence - A European
    approach to excellence and trust (Europa)

    You might be interested in the EU Commission WHITE PAPER On Artificial
    Intelligence: A European approach to excellence and trust, which has been
    just published.
    https://ec.europa.eu/info/sites/inf...-paper-artificial-intelligence-feb2020_en.pdf

    ------------------------------

    Date: Wed, 19 Feb 2020 08:45:21 -0800
    From: geoff goodfellow <ge...@iconia.com>
    Subject: How smartphone addiction changes your brain: Scans reveal how grey
    matter of tech addicts physically changes shape and size in a similar way
    to drug users (Daily Mail)

    - German researchers examined the brains of 48 participants using MRI
    images
    - Total of 22 people smartphone addicts and 26 non-addicts made up the
    cohort
    - Researchers found diminished grey matter volume in key regions of the
    brain
    - Similar phenomenon observed in people who suffer with substance
    addiction [...]

    https://www.dailymail.co.uk/science...le-addicted-smartphone-physically-change.html

    ------------------------------

    Date: Wed, 19 Feb 2020 08:46:14 -0800
    From: geoff goodfellow <ge...@iconia.com>
    Subject: US Govt Warns Critical Industries After Ransomware Hits Gas
    Pipeline Facility (CISA)

    The U.S. Department of Homeland Security's Cybersecurity and Infrastructure
    Security Agency (CISA) earlier today issued a warning to all industries
    operating critical infrastructures about a new ransomware threat that if
    left unaddressed could have severe consequences.

    The advisory <https://www.us-cert.gov/ncas/alerts/aa20-049a> comes in
    response to a cyberattack targeting an unnamed natural gas compression
    facility that employed spear-phishing to deliver ransomware to the
    company's internal network, encrypting critical data and knocking servers
    out of operation for almost two days.

    "A cyber threat actor used a spear-phishing link to obtain initial access to
    the organization's information technology network before pivoting to its
    operational technology network. The threat actor then deployed commodity
    ransomware to encrypt data for impact on both networks," CISA noted in its
    alert.

    As ransomware attacks continue to escalate in frequency and scale, the new
    development is yet another indication that phishing attacks continue to be
    an effective means to bypass security barriers and that hackers don't always
    need to exploit security vulnerabilities to breach organizations. [...]
    <https://thehackernews.com/2019/12/zeppelin-ransomware-attacks.html>
    <https://thehackernews.com/2019/11/everis-spain-ransomware-attack.html>
    https://thehackernews.com/2020/02/critical-infrastructure-ransomware-attack.html

    ------------------------------

    Date: Fri, 21 Feb 2020 11:50:54 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Hackers Are Using the Coronavirus Panic to Spread Malware
    (Malware Bytes)

    *Hackers are posing as the CDC and public health organizations to get
    people to open virus-laden files*
    EXCERPT:

    Hackers are using the public's fear of the coronavirus to steal passwords
    and spread malware, according to multiple cybersecurity firms and computer
    security. The setup is usually simple -- a malicious actor sends a mark on
    an email or message that appears to come from an official government source,
    such as the Centers for Disease Control, and gets the mark to click a link
    that asks for personal info. It's an old scam updated to prey on people's
    coronavirus fears.
    <https://blog.malwarebytes.com/socia...battling-online-coronavirus-scams-with-facts/>
    <https://www.trustwave.com/en-us/res...tacks-discovered-using-the-coronavirus-theme/>
    <https://nakedsecurity.sophos.com/2020/02/05/coronavirus-safety-measures-email-is-a-phishing-scam/>

    ``The most prominent coronavirus-themed campaign targeted Japan,
    distributing emotet...in malicious email attachments feigning to be sent by
    a Japanese disability welfare service provider,'' California-based cyber
    security company Check Point said in a report, ``The emails appear to be
    reporting where the infection is spreading in several Japanese cities,
    encouraging the victim to open the document which, if opened, attempts to
    download emotet on their computer.''
    <https://blog.checkpoint.com/2020/02...themed-spam-spreads-malicious-emotet-malware/>

    Emotet is a trojan malware program that, once installed, sits on the
    victim's computer and gathers personal information. Not every
    coronavirus-themed malware requires the user to install software. Many of
    them are simple phishing attempts with a coronavirus theme.

    In a typical example, described at in Trustwave's SpiderLabs Blog
    <https://www.trustwave.com/en-us/res...tacks-discovered-using-the-coronavirus-theme/>,
    a strange email address pretending to come from the CDC will reach out to a
    victim telling them a city near them has reported a coronavirus outbreak.
    The email asks the victim to click a link for more info. The link appears to
    be legitimate but redirects to a phishing website that replicates a Windows
    login and asks the users for their email and password. [...]
    https://www.vice.com/en_us/article/n7jdxw/hackers-are-using-the-coronavirus-panic-to-spread-malware

    ------------------------------

    Date: Fri, 21 Feb 2020 11:51:38 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Flywheel owners found out that their bikes were bricked through
    Peloton (The Verge)

    After a patent settlement with Peloton, Flywheel users are left reeling
    with how the company handled news of its bikes suddenly shutting down.
    Every morning at 4:30AM, Shani Maxwell would throw on her Flywheel T-shirt
    and hop on her Fly Anywhere bike. An avid fan who's been riding with
    Flywheel since 2013, she'd leapt at the chance to own the company's branded
    bike when the company released its Peloton competitor in 2017. [...]

    https://www.theverge.com/2020/2/20/...ut-down-email-user-reactions-peloton-trade-in

    ------------------------------

    Date: Fri, 21 Feb 2020 11:52:44 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Scientists Warn `Insect Apocalypse' Could Doom Humanity
    (The Guardian)

    For several years, a crescendo of scientists have sounded alarms over an
    insect apocalypse -- a global dying-off of what may already amount to as
    much as 80 percent of the global bug population.
    <https://www.motherjones.com/environ...reveal-huge-decline-in-the-number-of-insects/>
    <https://www.nytimes.com/2018/11/27/magazine/insect-apocalypse.html>

    Now, in a grim update, 25 scientists around the world have published a stark
    warning: If humankind doesn't manage to save the global bug population, it
    could spell doom for human life.

    Extinction Event

    In a pair of strongly-worded open letters published in the journal *Nature
    Conversation, *the researchers decried the pollution, habitat destruction,
    and climate change they believe is causing the mass death of the world's
    insects.
    <https://www.sciencedirect.com/science/article/pii/S0006320719317823?via=ihub#bb0910>
    <https://www.sciencedirect.com/science/article/pii/S0006320719317793?via=ihub#bb0135>

    ``Each species represents an unrepeatable part of the history of life,'' the
    scientists wrote. ``In turn, each species also interacts with others and
    their environment in distinctive ways, weaving a complex network that
    sustains other species, including us.'' Bug Hunt

    The scientists wrote, poetically, that the ``fates of humans and insects are
    intertwined.'' In other words, our collective ecological footprint doesn't
    just threaten our fellow Earthlings -- it could also effectively kick the
    ladder out from under our own position in the ecosystem.

    Insects, per the study provide humans with ``[everything] from pollination
    and decomposition, to being resources for new medicines, habitat quality
    indication'' and more. Turns out, it's a bug's world, and humans are just
    living off of it. The question is: Without their help, for how much longer?
    <https://www.sciencedirect.com/science/article/pii/S0006320719317823?via=ihub#bb0910>,

    READ MORE: *Fates of humans and insects intertwined, warn scientists*
    <https://www.theguardian.com/environ...ts-intertwined-scientists-population-collapse>
    [*The Guardian*]

    More on insects:
    *University Deletes Press Release Claiming Evidence of Bugs on Mars*
    <https://futurism.com/university-deletes-press-release-claiming-mars-bugs>

    https://futurism.com/the-byte/scientists-warn-insect-apocalypse-could-doom-humanity

    ------------------------------

    Date: Thu, 20 Feb 2020 10:26:24 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Mysterious GPS outages are wracking the shipping industry (Fortune)

    [See RISKS-31.48,54, etc.]

    For the global maritime shipping industry, spotty satellite navigation is a
    disaster waiting to happen.

    The call came in by radio one evening last September, at around 9 p.m. On
    the line was the master of a tanker, approaching the end of a month-long
    journey from the Port of South Louisiana and carrying more than 5,000 metric
    tons of ethanol. The message was urgent: The ship's GPS signal had suddenly
    disappeared -- leaving the crew to navigate Cyprus's shoreline in the dark.

    On the other end of the line was the pilots' office at the Vasiliko oil
    terminal, whose staff oversees shipping traffic at Vasiliko's harbor on
    Cyprus's arid, palm-fringed southern coast. Stelios Christoforou, the pilot
    on duty, recognized the gravity of the situation right away. In daylight, an
    experienced ship captain can maneuver using paper maps, markers, and the
    coastline as guides. But at night, GPS becomes a critical tool in unfamiliar
    waters -- especially near Cyprus, where NATO and Russian warships
    roam. And any accident could spill the tanker's cargo across miles of
    coastline.

    https://fortune.com/longform/gps-outages-maritime-shipping-industry/

    Seems to need free account to read full article, which is
    interesting/alarming.

    ------------------------------

    Date: Fri, 21 Feb 2020 15:33:33 +0100
    From: Diego Latella <Diego....@isti.cnr.it>
    Subject: UN/CCW/GGE documents on Autonomous Weapon Systems

    The links to the following UN/CCW/GGE documents

    Report of the 2019 session of the Group of Governmental Experts on Emerging
    Technologies in the Area of Lethal Autonomous Weapons Systems
    <https://undocs.org/en/CCW/GGE.1/2019/3> CCW/GGE.1/2019/3 - Sept. 25, 2019

    Chair's Summary - Report of the 2019 session of the Group of Governmental
    Experts on Emerging Technologies in the Area of Lethal Autonomous Weapons
    Systems CCW/GGE.1/2019/3/Add.1 - November 8, 2019
    <https://www.unog.ch/80256EDD006B895...3728F1B052C12584AD004A6628/$file/1919338E.pdf>
    are now available at the page on Computers: National Security, War, and
    Civil Rights (http://www.uspid.org/compwa.html
    <http://www.uspid.org/compwa.html>) of the USPID (www.uspid.org
    <http://www.uspid.org/>) web site.

    ------------------------------

    Date: Tue, 18 Feb 2020 09:36:54 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: IBM, Marriott, and Mickey Mouse Take on Tech's Favorite Law
    (David McCabe, NYTimes, 4 Feb 2020)

    A motley group of powerful companies have their knives out for Section 230,
    which shields platforms from lawsuits over content posted by users.

    An unusual constellation of powerful companies and industries are fighting
    to weaken Big Tech by limiting the reach of one of its most sacred laws. The
    law, known as Section 230, makes it nearly impossible to sue platforms like
    Facebook or Google for the words, images and videos posted by their users.

    - - - -

    Corporations are working with the Trump administration to control online
    speech (Ron Wyden, Dem-OR, *The Washington Post*, 14 Feb 2020)
    https://www.washingtonpost.com/opin...3078c8-4e9d-11ea-bf44-f5043eb3918a_story.html

    Some of the biggest corporations in the United States are brawling over the
    future of the law that allows free speech and innovation to thrive
    online. Under the guise of getting rid of lies and protecting children,
    they're working with the Trump administration and top Republicans to
    undermine Americans' rights and give the government unprecedented control
    over online speech.

    ------------------------------

    Date: 17 Feb 2020 16:22:09 -0800
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: A lazy fix 20 years ago means the Y2K bug is taking down
    computers, now (Ward, RISKS-31.58)

    > [And there won't be any COBOL programmers around when we hit Year 2100,
    > PGN]

    Wanna bet? COBOL is now 60 years old. The ISO standard was last updated in
    2014 and now contains OOP constructs borrowed from C++, which is only fair
    since C++ borrowed its structures from COBOL via PL/I and C.

    For all that people complain about COBOL, it is still a pretty good language
    for the things it was designed for -- business calculations with arithmetic
    that follow business rules, e.g., decimal rounding to the nearest cent.

    I realize 2100 is 80 years from now, but we're almost halfway there already.

    [What I meant (somewhat facetiously) was Original COBOL programmers. When
    Y2K approached before 2000, many who were long retired were pulled back
    into duty. Most of them are now long gone. PGN]

    ------------------------------

    Date: Tue, 18 Feb 2020 18:50:00 +0000
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: A lazy fix 20 years ago means the Y2K bug is taking down
    computers, now (Levine, RISKS-31.59)

    Many large companies are still using IBM assembler on mainframes. The
    really forward-looking companies are thinking about migrating to the wave of
    the future: COBOL! But the temptation to make do with the current system
    for another year or two is often too strong.

    New technology is not being developed and put into practice in the way it
    used to be (other than exploiting Moore's Law: which itself has slowed
    considerably in the last decade). Consider the technological inventions and
    advances that occurred in the 30 years from 1950 to 1980: microwaves,
    lasers, halogen lamps, LEDs, LCDs, the transistor, integrated circuits,
    minicomputers, microcomputers, games consoles, mobile phones, colour
    television, FM radio, LP records, CDs, video recorders, solar panels, moon
    landings etc. etc.

    Now think about the new technology that has been introduced to everyday life
    between 1990 and 2020. PCs have got faster, with larger memories, mobile
    phones have got smaller and sprouted apps, and what else?

    Given that COBOL has already survived decades of technological innovation,
    in the current period of relative stagnation and caution, there seems to be
    no reason why it should not survive indefinitely.

    Scientific and technological progress are not inevitable features of the
    modern world: they have to be desired and laboured for.

    ------------------------------

    Date: Tue, 18 Feb 2020 13:48:48 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Debunking the lone woodpecker theory (RISKS-31.58)

    Understood, that goes with a curated digest!

    The rambly bit was from friend-of-a-friend; someone else in our little cabal
    commented on it:

    It's impressive that a company like that would even hire someone with actual
    experience. Somebody in HR slipped up somewhere. So is (as Dan was
    discussing in another note) "get code into production as fast as possible"
    just another way of saying "move fast and break things"?

    The risk -- disdain for any sort of technology discipline -- is terrifying.
    NWANC is real and growing.

    ------------------------------

    Date: Wed, 19 Feb 2020 21:48:39 -0000
    From: "Cuckoo Fair Treasurer" <cuckoofai...@gmail.com>
    Subject: My smart car rental was a breeze - until I got trapped in the woods

    The dangers of renting an Internet-enabled (or is it dependent) car and then
    taking it to an area with no mobile coverage

    https://www.theguardian.com/technol...car-gig-rental-app-trapped?CMP=share_btn_link

    ------------------------------

    Date: Tue, 18 Feb 2020 09:38:25 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Today in sharing economy struggles: our app-powered rental car
    lost cell service on the side of a mountain in rural California and now I
    live here I guess

    It appears that although I do not have enough cell service to start up my
    only means of transportation I do have enough to live tweet my struggle so
    thanks for tuning in I will be here indefinitely... apparently in 45
    minutes to an hour a tow truck will come to move us three miles down the
    road where there is cell service so we can start our car the future is
    dumb... six hours, two tow trucks, and 20 calls to customer service later
    apparently it was a software issue and the car needed to be rebooted before
    we could use it...



    ------------------------------

    Date: Sun, 16 Feb 2020 08:54:40 -0500
    From: Jeremy Epstein <jeremy....@gmail.com>
    Subject: Re: Car renter paired car to FordPass, could still control car long
    after return (ZDNet via Shaw, RISKS-31.58)

    The Ford and Enterprise situation is just the tip of the iceberg.
    Enterprise presumably has the technical and financial capability to reset
    every rental car before re-renting it (and perhaps now has the motivation as
    well).

    But what about people renting out their personal vehicles with Getaround or
    Turo or similar services? Those individuals undoubtedly do NOT have the
    knowledge or ability to reset the car, and since the systems are unattended,
    they may never even be accessed by the owner in between rentals. And
    without centralized controls (since such services don't physically manage
    the vehicles), the service can't do the reset for them - unless they enable
    remote automated reset, which brings its own set of risks...

    So, I agree with ZDnet: "Too often, tech companies place the onus on
    customers to work things out for themselves and even to save themselves.
    Or, worse, to only discover a breach when it's too late. Wouldn't it be
    bracing if tech companies, I don't know, showed a little responsibility in
    advance?"

    [However,] that responsibility needs to be considered in light of the
    different usage models, not just the traditional rental car companies (e.g.,
    Enterprise), but also other uses.

    (And FWIW, even something as simple as having the oil changed in your car
    gives the opportunity for someone to link their phone to your car, and
    enable the remote control. So I'd argue this isn't a failure by Enterprise
    - it's a failure by Ford and anyone else who makes remote controls.)

    ------------------------------

    Date: Sun, 16 Feb 2020 22:36:14 -0500
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Re: Car renter paired car to FordPass, could still control car long
    after return (ZDNet via Shaw, RISKS-31.58)

    It's worse than you think. A new OWNER may find himself unable to change the
    car's settings, because the car is still 'locked' to a prior owner. And the
    prior owner still has the power to start or unlock the car. It's not a
    matter of 'clearing' the settings: only the 'owner' can do that! Apparently
    it's not just Land Rover; it could include Jaguar, Audi and BMW cars.

    https://www.theregister.co.uk/2018/07/27/jaguar_land_rover_connected_car_privacy/

    John Leyden, The Register, 27 Jul 2018

    Shock Land Rover Discovery: Sellers could meddle with connected cars if not
    unbound; Secondhand owners who didn't sell at JLR dealer can call us, says
    firm

    Both data and the online controls on "connected cars" from Jaguar Land Rover
    remain available to previous owners, according to security experts and
    owners of the upmarket vehicles. The car maker has defended its privacy
    safeguards and security of its InControl tech.

    El Reg began investigating the issue after talking to Matt Watts, a techie
    who blogged about the issue of connected cars and the data they collect,
    without initially naming Jaguar Land Rover (JLR).

    Watts' secondhand Range Rover came with the ability to remotely control the
    climate systems, call breakdown services, upload GPS/destination details and
    much more. The vehicle also keeps a record of much of this information and
    stores it in an online account.

    Most drivers won't use this functionality, but Watts is a self-admitted
    geek. After he downloaded the JLR app to his smartphone and started to
    experiment, Watts realised that he was able to use the eight digits of the
    vehicle identification number (VIN) to link his vehicle to an online
    account.

    When doing so, the JLR website informed him that the vehicle was linked to
    another user's account. After dealing with support centres and a JLR dealer,
    Watts was eventually told that the previous owners should have disconnected
    before selling on the car. He was initially advised to contact the previous
    owner, which is annoying enough in itself.

    "The process to get the manufacturer to update the online details for the
    vehicle is for me to try and find the previous owner and get them to do it
    for me," Watts wrote.

    The issue goes far beyond Watts being unable to use the funky functionality
    of his secondhand motor, as he explained:

    The previous owner of my car has control over it, they can unlock it, they
    can remotely set the climate control without me knowing about it, even when
    the car isn't running, they potentially can even look at the sat-nav system,
    they can also call break down services to the vehicle and all of this
    without me knowing anything about it.

    *Someone else has access to a significant amount of data about myself and my
    vehicle and there appears to be nothing that the manufacturer is prepared to
    do about it.*

    Watts told El Reg: "Data is being collected about me and the vehicle's
    location and simply provided to whomever previously connected the app to the
    car. JLR needs a bullet-proof method for this to be automatically
    disconnected when the vehicle changes hands. I don't know how you do this
    but the current process is clearly not sufficient." [...]

    ------------------------------

    Date: Sun, 16 Feb 2020 10:14:40 -0500
    From: David <wb8...@panix.com>
    Subject: Re: The Intelligence Coup of the Century (RISKS-31.58)

    One interesting aspect of this reporting is only CIA is mentioned.

    When this saga started, they *were* effectively the Intelligence
    Community. (Their only-child status did not last long.) Yet it's hardly
    their forte to design crypto systems & hardware. That *is* the purview of
    their stepbrothers at Fort Meade.

    While they now seemingly on good terms, before the end of the Cold War there
    were many tales of their ...discordant... relationship. [I recall being told
    by a SIS just assigned a joint tasking at the other place "I knew there was
    a sea change when I arrived and found they suddenly honored not only my
    badge but my executive parking pass..."]

    So for now one can just wonder what part NSA played in this saga over its
    tenure. It can't be trivial.

    ------------------------------

    Date: Sun, 16 Feb 2020 11:24:09 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: How the Iowa Caucuses Came Crashing Down (WashPost)

    This adds some more details to what happened.

    The Washington Post, 15 Feb 2020
    https://www.washingtonpost.com/poli...b17e7e-4f5f-11ea-b721-9f4cdc90bc1c_story.html

    ------------------------------

    Date: Mon, 17 Feb 2020 08:46:15 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: 'The only uncertainty is how long we'll last': a worst-case
    scenario for the climate in 2050 (The Guardian)

    *The Future We Choose*, a new book by the architects of the Paris climate
    accords, offers two contrasting visions for how the world might look in
    thirty years (read the best case scenario here).
    <https://www.theguardian.com/environ...-choose-christiana-figueres-tom-rivett-carnac>

    EXCERPT:

    It is 2050. Beyond the emissions reductions registered in 2015, no further
    efforts were made to control emissions. We are heading for a world that
    will be more than 3C warmer by 2100

    The first thing that hits you is the air. In many places around the world,
    the air is hot, heavy and, depending on the day, clogged with particulate
    pollution. Your eyes often water. Your cough never seems to disappear. You
    think about some countries in Asia, where, out of consideration, sick
    people used to wear white masks to protect others from airborne infection.
    Now you often wear a mask to protect yourself from air pollution. You can
    no longer simply walk out your front door and breathe fresh air: there
    might not be any. Instead, before opening doors or windows in the morning,
    you check your phone to see what the air quality will be.

    Fewer people work outdoors and even indoors the air can taste slightly
    acidic, sometimes making you feel nauseated. The last coal furnaces closed
    10 years ago, but that hasn't made much difference in air quality around
    the world because you are still breathing dangerous exhaust fumes from
    millions of cars and buses everywhere. Our world is getting hotter. Over the
    next two decades, projections tell us that temperatures in some areas of the
    globe will rise even higher, an irreversible development now utterly beyond
    our control. Oceans, forests, plants, trees and soil had for many years
    absorbed half the carbon dioxide we spewed out. Now there are few forests
    left, most of them either logged or consumed by wildfire, and the permafrost
    is belching greenhouse gases into an already overburdened atmosphere. The
    increasing heat of the Earth is suffocating us and in five to 10 years, vast
    swaths of the planet will be increasingly inhospitable to humans. We don't
    know how hospitable the arid regions of Australia, South Africa and the
    western United States will be by 2100. No one knows what the future holds
    for their children and grandchildren: tipping point after tipping point is
    being reached, casting doubt on the form of future civilisation. Some say
    that humans will be cast to the winds again, gathering in small tribes,
    hunkered down and living on whatever patch of land might sustain them.

    More moisture in the air and higher sea surface temperatures have caused a
    surge in extreme hurricanes and tropical storms. Recently, coastal cities in
    Bangladesh, Mexico, the United States and elsewhere have suffered brutal
    infrastructure destruction and extreme flooding, killing many thousands and
    displacing millions. This happens with increasing frequency now. Every day,
    because of rising water levels, some part of the world must evacuate to
    higher ground. Every day, the news shows images of mothers with babies
    strapped to their backs, wading through floodwaters and homes ripped apart
    by vicious currents that resemble mountain rivers. News stories tell of
    people living in houses with water up to their ankles because they have
    nowhere else to go, their children coughing and wheezing because of the
    mold growing in their beds, insurance companies declaring bankruptcy,
    leaving survivors without resources to rebuild their lives. Contaminated
    water supplies, sea salt intrusions and agricultural runoff are the order of
    the day. Because multiple disasters are often happening simultaneously, it
    can take weeks or even months for basic food and water relief to reach areas
    pummeled by extreme floods. Diseases such as malaria, dengue, cholera,
    respiratory illnesses and malnutrition are rampant.

    You try not to think about the 2 billion people who live in the hottest
    parts of the world, where, for upwards of 45 days per year, temperatures
    skyrocket to 60C (140F), a point at which the human body cannot be outside
    for longer than about six hours because it loses the ability to cool itself
    down. Places such as central India are becoming increasingly challenging to
    inhabit. Mass migrations to less hot rural areas are beset by a host of
    refugee problems, civil unrest and bloodshed over diminished water
    availability.

    Food production swings wildly from month to month, season to season,
    depending on where you live. More people are starving than ever before.
    Climate zones have shifted, so some new areas have become available for
    agriculture (Alaska, the Arctic), while others have dried up (Mexico,
    California). Still others are unstable because of the extreme heat, never
    mind flooding, wildfire and tornadoes. This makes the food supply in general
    highly unpredictable. Global trade has slowed as countries seek to hold on
    to their own resources.

    Countries with enough food are resolute about holding on to it. As a result,
    food riots, coups and civil wars are throwing the world's most vulnerable
    from the frying pan into the fire. As developed countries seek to seal their
    borders from mass migration, they too feel the consequences. Most
    countries' armies are now just highly militarised border patrols. Some
    countries are letting people in, but only under conditions approaching
    indentured servitude. [...]

    https://www.theguardian.com/environ...-choose-christiana-figueres-tom-rivett-carnac

    ------------------------------

    Date: Mon, 17 Feb 2020 08:47:41 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Like Something Out of The Book Of Exodus Locust Armies Are
    Devouring Entire Farms In Kenya In As Little As 30 Seconds (CGTN)

    <https://africa.cgtn.com/2020/02/09/swarms-big-as-cities-un-chief-says-locust-fight-must-intensify/>

    ... we have never seen anything like this before. the UN continues to warn
    that the number of locusts could get 500 times bigger by June. But even if
    this plague ended right now, millions of people would still be facing a
    devastating famine in the months ahead. These locusts travel in swarms up
    to 40 miles wide, each one can eat the equivalent of its own body weight
    every day, and the swarms can travel close to 100 miles in a 24 hour period.
    This is a nightmare of epic proportions, and it is just getting started.

    National Geographic has never been known to sensationalize news stories, but
    even they are saying that this plague is like something out of the Book of
    Exodus. [...]
    <https://www.nationalgeographic.com/science/2020/02/locust-plague-climate-science-east-africa/>

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.59
    ************************
     
  12. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.60

    RISKS List Owner

    Mar 6, 2020 4:49 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 6 March 2020 Volume 31 : Issue 60

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Tesla Autopilot crash driver 'was playing video game' (BBC News)
    NTSB report on Walter Huang/Tesla crash (The Verge)
    Apple's Upcoming 'CarKey' Feature Will Let You Send Digital Keys
    Using Messages App (MacRumors)
    Reliability of Pricey New Voting Machines Questioned (ACM Tech News)
    ElectionGuard (Lite via Rob Slade)
    California man arrested on charges his DDoSes took down candidate's website
    (Ars Technica)
    A high-school student created a fake 2020 candidate. Twitter verified it
    (CNN Business)
    Radioactive products were popular in the early 20th century and still set
    off geiger counters (WashPost)
    Hackers Can Use Ultrasonic Waves to Secretly Control Voice Assistant Devices
    (TheHackerNew)
    Hackers target cable TV alert system and send false messages
    (Shawn Merdinger)
    Phishing scams are getting more sophisticated; what to look out for
    (Business Insider)
    LTE security flaw can be abused to take out subscriptions at your expense
    (Bochum)
    What to do about artificially intelligent government (Stanford)
    Lawsuit Says Google Used School Software To Spy On Children (NYT)
    New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices
    (The Hacker News)
    A Viral Email About Coronavirus Had People Smashing Buses And Blocking
    Hospitals. (Buzzfeednews)
    Security self-theatre? (COVID-19 and masks)
    Man who breached coronavirus stay-home notice stripped of Singapore PR
    status, barred from re-entry (The Straits Times)
    How coronavirus turned the dystopian joke of FaceID masks into a reality
    (Technology Review)
    The Computer Says No! UCLA face recognition (Fight for the Future via
    Paul Cornish)
    AI baby monitors attract anxious parents: Fear is the quickest way to get
    people's attention (WashPost)
    How North Korean Hackers Rob Banks Around the World (WIRED)
    Fido Alliance gets backing from Apple to replace passwords (9to5Mac)
    911 operators couldn't trace the location of a dying student's phone. It's
    a growing issue. (WashPost)
    Rice University Boosts 'Internet of Things' Security -- Again
    (Mike Williams)
    Startup's Stock Trading App experiences a day-long outage on one of
    the busiest trading days of the year (Tech Crunch)
    Government-Run Energy Company Keeps Reeling in the Same Employees
    in Phishing Training (nextgov.com)
    Clearview AI has billions of our photos. Its entire client list was just
    stolen (CNN Business)
    Afraid of the Thirteenth Floor? Superstition and Real Estate, Part 2
    (Skeptical Inquirer)
    Hilton drags corporate feet, minimizes disclosing personal data held
    (A friend via Gabe Goldberg)
    How a Hacker's Mom Broke Into a Prison -- and the Warden's Computer (WiReD)
    Old RISKS risks are still in vogue (WXYZ via David Lesher)
    Risks of Leap Years and Dumb Digital Watches (Mark Brader)
    TikTok Challenges, Ranked by How Likely They Are to Maim or Kill You (Vice)
    Algorithm Targets Marijuana Convictions Eligible To Be Cleared (npr.org)
    Would you eat a 'steak' printed by robots? (bbc.com)
    'They lied to us': Mom says police deceived her to get her DNA and charge
    her son with murder (NBC News)
    Taxes are expected to rise in Taunton, MA after an assessing tech snafu
    (Christopher Gavin)
    Pets 'go hungry' after smart feeder goes offline (bbc.com)
    Emissions possible: Streaming music swells carbon footprints (Al Jazeera
    via Dan Jacobson)
    Re: Linux is ready for the end of time (John Stockton)
    Re: Mysterious GPS outages are wracking the shipping industry
    (Craig S. Cottingham)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 26 Feb 2020 20:47:15 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Tesla Autopilot crash driver 'was playing video game' (BBC News)

    An Apple employee who died after his Tesla car hit a concrete barrier was
    playing a video game at the time of the crash, investigators believe.

    The US National Transportation Safety Board (NTSB) said the car had been
    driving semi-autonomously using Tesla's Autopilot software.

    Tesla instructs drivers to keep their hands on the wheel in Autopilot mode.

    But the NTSB said more crashes were foreseeable if Tesla did not implement
    changes to its Autopilot system.

    The authority has published the results of a two-year investigation,
    following the crash in March 2018.

    Tesla's Autopilot software steered the vehicle into the triangular `gore
    area' at a motorway intersection, and accelerated into a concrete barrier.

    Tesla crash driver 'was playing video game'

    Darwin wins again.

    ------------------------------

    Date: Tue, 25 Feb 2020 17:49:59 -0800
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: NTSB report on Walter Huang/Tesla crash (The Verge)

    [Thanks to Natarajan Shankar, PGN]

    Tesla Autopilot, distracted driving to blame in deadly 2018 crash

    ------------------------------

    Date: Sat, 22 Feb 2020 15:52:38 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple's Upcoming 'CarKey' Feature Will Let You Send Digital Keys
    Using Messages App (MacRumors)

    As discovered in the first beta of iOS 13.4, Apple is working on a new
    `CarKey' feature that will allow an iPhone or an Apple Watch to unlock,
    lock, and start NFC-compatible vehicles.

    Apple's Upcoming 'CarKey' Feature Will Let You Send Digital Keys Using Messages App

    ------------------------------

    Date: Wed, 26 Feb 2020 11:45:43 -0500 (EST)
    From: ACM TechNews <technew...@acm.org>
    Subject: "Reliability of Pricey New Voting Machines Questioned"

    Computer security experts continue to express doubts that expensive new
    voting machines are reliable, considering them almost as risky as earlier
    discredited electronic systems. Called ballot-marking devices, the machines
    have touchscreens for registering voter choices and print out paper records
    scanned by optical readers. South Carolina voters will use the systems,
    which are at least twice as expensive as the hand-marked paper ballot
    option, in Saturday's primary. Daniel Lopresti, a computer scientist at
    Lehigh University and a South Carolina election commissioner, said, ``What
    we worry is, what happens the next time if there's a programming bug, or a
    hack or whatever, and it's done in a way that's not obvious?'' Said
    University of South Carolina's Duncan Buell, ``I don't know that we've ever
    seen an election computer, a voting computer, whose software was done to a
    high standard.''
    Reliability of pricey new voting machines questioned

    ------------------------------

    Date: Sat, 29 Feb 2020 11:08:05 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: ElectionGuard (Lite via Rob Slade)

    Microsoft has come up with a new electronic voting system, called
    ElectionGuard.
    CNN - Breaking News, Latest News and Videos

    (Yes, OK, *that* Microsoft. But it does sound possible.)

    First off, this is not online or remote voting. This is a vote tabulation
    system. You vote on a device, a memory card is read and counted, and you
    get a paper record of your vote. The individual votes are encrypted using
    homomorphic encryption (probably a version of Rivest's *Three Ballot*
    algorithm). ThreeBallot - Wikipedia

    ElectionGuard is open source, so I imagine that electronic voting
    researchers will be looking under the hood. I'd like to know how you
    prevent election officials from reading the printouts that voters receive
    (but that's more a matter of training and process). I'd like to know how
    many random challenges you make, taking real votes and checking to see if
    they've been tabulated properly. (There are likely some legal issues in
    that regard.)

    But it does sound promising.

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Fri, 21 Feb 2020 18:37:47 -0500
    Subject: California man arrested on charges his DDoSes took down candidate's
    website (Ars Technica)

    Feds say defendant used Amazon servers to wage DDoS attacks that cost the rival campaign.

    California man arrested on charges his DDoSes took down candidate’s website

    ------------------------------

    Date: Fri, 28 Feb 2020 07:06:27 -0700
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: A high-school student created a fake 2020 candidate. Twitter
    verified it (CNN Business)

    Story by Donie O'Sullivan, CNN Business
    Video by Richa Naik and Craig Waxman

    Updated 1257 GMT (2057 HKT) February 28, 2020

    Andrew Walz calls himself a *proven business leader* and a *passionate
    advocate for students*. Walz, a Republican from Rhode Island, is running
    for Congress with the tagline, "Let's make change in Washington together,"
    or so his Twitter account claimed.

    Earlier this month, Walz's account received a coveted blue checkmark from
    Twitter as part of the company's broader push to verify the authenticity
    of many Senate, House and gubernatorial candidates currently running for
    office. Twitter has framed this effort as key to helping Americans find
    reliable information about politicians in the leadup to the 2020 election.

    But there's just one problem: Walz does not exist. The candidate is the
    creation of a 17-year-old high school student from upstate New York, CNN
    Business has learned.

    The student, who CNN Business spoke to with the permission of his parents
    and has agreed not to name as he is a minor, said he was `bored' over the
    holidays and created the fake account to test Twitter's election integrity
    efforts.

    Exclusive: A high school student created a fake 2020 candidate. Twitter verified it - CNN

    ------------------------------

    Date: Sun, 1 Mar 2020 00:53:12 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Radioactive products were popular in the early 20th century and
    still set off geiger counters (WashPost)

    Not long ago, curator Natalie Luvera began to worry about the strangest item
    in the National Atomic Testing Museum's collection of artifacts —- a tiny
    1920s device designed to restore lost manhood by irradiating the manliest of
    human body parts.

    Was the gold-plated *scrotal radiendocrinator* still dangerous after nearly
    a century? Luvera tested it with a Geiger counter, got a worrisome reading
    and called in a radioactivity response team to double-check. ``They came
    down and said, `Nope, you shouldn't have that here.' '' [.,,]

    The device was the brainchild of an extraordinary quack named William
    J.A. Bailey, who liked to describe radiation as *eternal sunshine*. He also
    hawked bottles of Radithor -— *certified radioactive water* —- that were
    touted as a cure-all for disorders such as impotence and fatigue.

    https://www.washingtonpost.com/heal...1fd724-37c9-11ea-bf30-ad313e4ec754_story.html

    ...that's a great museum, BTW.

    ------------------------------

    Date: Mon, 2 Mar 2020 14:13:17 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Hackers Can Use Ultrasonic Waves to Secretly Control Voice
    Assistant Devices (TheHackerNew)

    *It works over a longer distance and without the need to be in
    line-of-sight.*

    EXCERPT:

    Researchers have discovered a new means to target voice-controlled devices
    by propagating ultrasonic waves through solid materials in order to
    interact with and compromise them using inaudible voice commands without
    the victims' knowledge.

    Called SurfingAttack,
    <https://surfingattack.github.io/papers/NDSS-surfingattack.pdf> the attack
    leverages the unique properties of acoustic transmission in solid materials
    -- such as tables -- to ``enable multiple rounds of interactions between the
    voice-controlled device and the attacker over a longer distance and without
    the need to be in line-of-sight.''

    In doing so, it's possible for an attacker to interact with the devices
    using the voice assistants, hijack SMS two-factor authentication codes, and
    even place fraudulent calls, the researchers outlined in the paper, thus
    controlling the victim device inconspicuously.

    The research was published by a group of academics from Michigan State
    University, Washington University in St. Louis, Chinese Academy of
    Sciences, and the University of Nebraska-Lincoln.

    The results were presented at the Network Distributed System Security
    Symposium (NDSS) on February 24 in San Diego.

    How Does the SurfingAttack Work? [...]
    Hackers Can Use Ultrasonic Waves to Secretly Control Voice Assistant Devices

    ------------------------------

    Date: Mon, 24 Feb 2020 14:04:08 -0500
    From: Shawn Merdinger <shaw...@gmail.com>
    Subject: Hackers target cable TV alert system and send false messages

    On Thursday, 20 February 2020 in Washington state EAS units were compromised
    at WAVE Broadband and sent at least 3 unapproved EAS alerts to 3000+ cable
    subscribers.

    News:

    False TV alert over 'radiological hazard' concerns Washington emergency officials

    At least one family took the warning to heart. A viewer wrote to KING 5 and
    said, ``We experienced an hour of pure terror. We evacuated our house with
    our dogs and drove to Sequim to my parents. Wondering when and if we would
    die.''

    Hackers target cable TV alert system and send false messages

    ``A lot of problems happen when these are first put in because there's a
    default password and if somebody knows the default password and there hasn't
    been time for an organization to change the default password, those can
    easily be hacked,'' Nealey said.

    ------------------------------

    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Date: Tue, 25 Feb 2020 06:40:30 -0700
    Subject: Phishing scams are getting more sophisticated; what to look out for
    (Business Insider)

    - Phishing scams in which hackers pose as trusted figures to trick
    people into handing over passwords are getting increasingly sophisticated.
    - Security experts describe an arms race between services that weed out
    scammers and attackers developing new tricks and workarounds.
    - Phishing is on the rise, and costing over $57 million from more than
    114,000 victims in the US last year, according to a recent FBI report.

    EXCERPT:

    Hackers don't break in, they log in.

    That mantra, often repeated by security experts, represents a rule of thumb:
    The vast majority of breaches are the result of stolen passwords, not
    high-tech hacking tools.

    These break-ins are on the rise. Phishing scams -- in which attackers pose
    as a trustworthy party to trick people into handing over personal details or
    account information -- were the most common type of Internet crime last
    year, according to a recent FBI report
    <FBI Releases the Internet Crime Complaint Center 2019 Internet Crime Report — FBI>.
    People lost more than $57.8 million in 2019 as the result of phishing,
    according to the report, with over 114,000 victims targeted in the US.

    And as phishing becomes more profitable, hackers are becoming increasingly
    sophisticated in the methods they use to steal passwords, according to
    Tanmay Ganacharya, a principal director in Microsoft's Security Research
    team.

    ``Most of the attackers have now moved to phishing because it's easy. If I
    can convince you to give me your credentials, it's done. There's nothing
    more that I need,'' Ganacharya told Business Insider.

    Ganacharya monitors phishing tactics in order to build machine-learning
    systems that root out scams for people using Microsoft services, including
    Windows, Outlook, and Azure, Microsoft's cloud computing service. This
    week, Microsoft announced
    <Delivering on the promise of security AI to help defenders protect today’s hybrid environments - The Official Microsoft Blog>
    that
    it will begin selling its threat-protection services for platforms
    including Linux, iOS, and Android.

    Ganacharya spoke to Business Insider about the trends in phishing that his
    team has observed. Many of the tactics aren't new, but he said attackers
    are constantly finding new ways to work around defenses like Microsoft's
    threat protection. Here's what he described...

    [...]
    Hackers are getting better at tricking people into handing over passwords — here's what to look out for, according to experts

    ------------------------------

    Date: Tue, 25 Feb 2020 06:41:20 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: LTE security flaw can be abused to take out subscriptions at your
    expense (Bochum)

    Researchers say the vulnerability impacts virtually all smartphones on the
    market*

    EXCERPT:

    A security vulnerability in LTE can be exploited to sign up for
    subscriptions or paid website services at someone else's expense, new
    research suggests.

    According to researchers
    <https://news.rub.de/english/press-r...kers-can-impersonate-other-mobile-phone-users>
    from Ruhr-Universitaet Bochum, the flaw exists in the 4G mobile
    communication standard and permits smartphone user impersonation, which
    could allow attackers to ``start a subscription at the expense of others or
    publish secret company documents under someone else's identity.''

    The research, titled IMP4GT: IMPersonation Attacks in 4G NeTworks, is the
    work of David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina
    P=C3=B6pper.

    *See also: *Honeywell, Verizon partner on integrating LTE, smart meters,
    lay groundwork for 5G
    <https://www.zdnet.com/article/honey...ating-lte-smart-meters-lay-groundwork-for-5g/>

    The IMP4GT attack <https://imp4gt-attacks.net/> impacts ``all devices that
    communicate with LTE,'' which includes *virtually all* smartphones, tablets,
    and some Internet of Things (IoT) devices.

    Software-defined radios are a key element of IMP4GT. These devices are able
    to read the communications channels between a mobile device and base
    station, and by using them, it is possible to trick a smartphone into
    considering the radio is the base station -- and dupe the network into
    treating the radio as the mobile phone.

    Once this channel of communication is compromised, it is time to start
    manipulating data packets being sent between an LTE device and base station.

    ``The problem is the lack of integrity protection: data packets are
    transmitted encrypted between the mobile phone and the base station, which
    protects the data against eavesdropping. However, it is possible to modify
    the exchanged data packets. We don't know what is where in the data packet,
    but we can trigger errors by changing bits from 0 to 1 or from 1 to 0.''

    These errors can then force a mobile phone and base station to either
    decrypt or encrypt messages, converting information into plaintext or
    creating a situation in which an attacker is able to send commands without
    authorization. [...]
    https://www.zdnet.com/article/lte-s...ed-to-take-out-subscriptions-at-your-expense/

    ------------------------------

    Date: Wed, 26 Feb 2020 19:16:55 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: What to do about artificially intelligent government

    EXCERPT:

    The White House's recent efforts to chart a national artificial intelligence
    (AI) policy are welcome and, frankly, overdue. Funding for AI research and
    updating agency IT systems is a good start. So is guidance for agencies as
    they begin to regulate industry use of AI. But there's a glaring gap: The
    White House has been silent about the rules that apply when agencies use AI
    to perform critical governance tasks.
    <https://about.bgov.com/news/white-house-proposes-92-billion-it-budget-in-fy-2021/>
    <https://news.bloomberglaw.com/tech-...intelligence-principles-issued-by-white-house>

    This matters because, of all the ways AI is transforming our world, some of
    the most worrying come at the intersection of AI and the awesome power of
    the state. AI drives the facial recognition police use to surveil citizens.
    It enables the autonomous weapons changing warfare. And it powers the tools
    judges use to make life-changing bail, sentencing and parole decisions.
    Concerns about each have fueled debate and, as to facial recognition in
    particular, new laws banning use.
    <https://www.bloomberg.com/news/arti...-londoners-faces-sparks-human-rights-concerns>
    <https://www.bloomberg.com/news/videos/2019-05-16/face-it-you-re-being-watched-video>

    Sitting just beyond the headlines, however, is a little-known fact: AI use
    already is pervasive in government. Prohibition for most uses is not an
    option, or at least not a wise one. Needed instead is a frank conversation
    about how to give the government the resources it needs to develop
    high-quality and fairly deployed AI tools and build sensible accountability
    mechanisms around their use.

    We know because we led a team of lawyers and computer scientists at Stanford
    and New York universities to advise federal agencies on how to develop and
    oversee their new algorithmic toolkit.

    Our research
    <https://law.stanford.edu/education/...igence-in-the-regulatory-state/#slsnav-report>
    shows that AI use spans government. By our estimates, half of major federal
    agencies have experimented with AI. Among the 160 AI uses we found, some --
    such as facial recognition -- are fueling public outcries. But many others
    fly under the radar. The Securities and Exchange Commission (SEC) uses AI to
    flag insider trading; the Centers for Medicare and Medicaid Services uses it
    to ferret out health care fraud. The Social Security Administration is
    piloting AI tools to help decide who gets disability benefits, and the
    Patent and Trademark Office to decide who gets patent protection.

    Still other agencies are developing AI tools to communicate with the public,
    by sifting millions of consumer complaints or using chatbots to field
    questions from welfare beneficiaries, asylum seekers and taxpayers.

    Our research also highlights AI's potential to make government work better
    and at lower cost. AI tools that help administrative judges spot errors in
    draft decisions can shrink backlogs that leave some veterans waiting years
    <https://www.militarytimes.com/news/...enefits-backlog-is-higher-than-officials-say/>
    (sometimes, close to a decade) for benefits. AI can help ensure that the
    decision to launch a potentially ruinous enforcement action does not reflect
    the mistakes, biases, or whims of human prosecutors. And AI can help make
    more precise judgments about which drugs threaten public health.

    But the picture is not all rosy. [...]
    https://thehill.com/opinion/technology/483878-what-to-do-about-artificially-intelligent-government

    ------------------------------

    Date: Sun, 23 Feb 2020 07:55:15 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Lawsuit Says Google Used School Software To Spy On Children (NYT)

    EXCERPT:

    New Mexico's attorney general sued Google on Thursday, saying the tech giant
    used its educational products to spy on the state's children and families.

    Google collected a trove of students' personal information, including data
    on their physical locations, websites they visited, YouTube videos they
    watched and their voice recordings, Hector Balderas, New Mexico's attorney
    general, said in a federal lawsuit.

    ``The consequences of Google's tracking cannot be overstated: Children are
    being monitored by one of the largest data mining companies in the world,
    at school, at home, on mobile devices, without their knowledge and without
    the permission of their parents,'' the lawsuit said.
    <https://cdn.vox-cdn.com/uploads/chorus_asset/file/19734145/document_50_.pdf>

    Over the last eight years, Google has emerged as the predominant tech brand
    in American public schools
    <https://cdn.vox-cdn.com/uploads/chorus_asset/file/19734145/document_5.pdf>,
    outpacing rivals like Apple and Microsoft by offering a suite of
    inexpensive, easy-to-use tools.

    Today, more than half of the nation's public schools -- and 90 million
    students and teachers globally -- use free Google Education apps like Gmail
    and Google Docs. More than 25 million students and teachers also use
    Chromebooks, laptops that run on the company's Chrome operating system, the
    lawsuit said.

    In September, Google agreed to pay a $170 million fine to settle federal
    and New York State charges that it illegally harvested the personal data
    <https://www.nytimes.com/2019/09/04/technology/google-youtube-fine-ftc.html>
    of children on YouTube.

    The new lawsuit, filed in U.S. District Court for the District of New
    Mexico, claimed that Google violated the federal Children's Online Privacy
    Protection Act. The law requires companies to obtain a parent's consent
    before collecting the name, contact information and other personal details
    from a child under 13.

    The lawsuit also said Google deceived schools, parents, teachers and
    students by telling them that were no privacy concerns with its education
    products when, in fact, the company had amassed a trove of potentially
    sensitive details on students' online activities and locations. [...]

    https://www.nytimes.com/2020/02/20/technology/new-mexico-google-lawsuit.html

    ------------------------------

    Date: Fri, 28 Feb 2020 14:32:57 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices
    (The Hacker News)

    EXCERPT:

    Cybersecurity researchers today uncovered a new high-severity hardware
    vulnerability residing in the widely-used Wi-Fi chips manufactured by
    Broadcom and Cypress -- apparently powering over a billion devices,
    including smartphones, tablets, laptops, routers, and IoT gadgets.

    Dubbed 'Kr00k' and tracked as CVE-2019-15126, the flaw could let nearby
    remote attackers intercept and decrypt some wireless network packets
    transmitted over-the-air by a vulnerable device.

    The attacker does not need to be connected to the victim's wireless network
    and the flaw works against vulnerable devices using WPA2-Personal or
    WPA2-Enterprise protocols, with AES-CCMP encryption, to protect their
    network traffic.

    ``Our tests confirmed some client devices by Amazon (Echo, Kindle), Apple
    (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi
    3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were
    vulnerable to Kr00k,'' ESET researchers said.

    According to the researchers <https://www.eset.com/int/kr00k/>, the Kr00k
    flaw is somewhat related to the KRACK attack
    <https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html>, a
    technique that makes it easier for attackers to hack Wi-Fi passwords
    <https://thehackernews.com/2018/08/how-to-hack-wifi-password.html> protected
    using a widely-used WPA2 network protocol.

    First, Learn What Kr00k Attack Doesn't Allow: [...]
    https://thehackernews.com/2020/02/kr00k-wifi-encryption-flaw.html

    ------------------------------

    Date: Mon, 24 Feb 2020 04:56:25 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: A Viral Email About Coronavirus Had People Smashing Buses And
    Blocking Hospitals. (Buzzfeednews)

    Ukraine's security service said the fake email that was supposedly from the Ministry of Health had actually been sent from outside the country.

    https://www.buzzfeednews.com/article/christopherm51/coronavirus-ukraine-china

    ------------------------------

    Date: Sat, 29 Feb 2020 11:43:15 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Security self-theatre? (COVID-19 and masks)

    OK, first off, to let you know that I know what I'm talking about, I put
    myself through university by working in the medical field, first as a
    practical nurse (I spent considerable time working in an isolation ward),
    and later as an industrial first aid attendant. (My required non-physics
    elective at university was medical physiology.) I've also been an emergency
    management volunteer for a couple of decades.

    Now I've talked about security theatre in regard to COVID-19, and we are
    discussing other issues related to the coronavirus. But one of the things
    that has bugged me ever since it started hitting the news is the masks.

    Masks won't keep you from getting COVID-19, or any other droplet bourne
    virus. (At least, they don't reduce your risk very much.) The paper face
    masks provide next to no protection in this regard, and the N95 masks aren't
    much better. Droplet bourne viruses will still get on your skin, on your
    face, and into your eyes, and simple daily activities make you touch your
    skin and face and mouth and eyes and provide the viruses a path inside. You
    don't need to inhale the virus to get it, and, if you do get COVID-19, it
    probably will be from some other pathway than inhaling it. This is why
    frequent (*very* frequent) handwashing is important. (Hand sanitizer is
    good, too. If you use it frequently.)

    Masks are useful, if *you* have the virus, in preventing you giving it to
    other people. (Not a complete prevention, mind, but useful.) So, if you
    are wearing a face mask in public during this epidemic, you are making one
    of two statements: 1) I AM INFECTED WITH THE COVID-19 VIRUS!! or 2) I AM
    STUPID AND IGNORANT!!

    This advice, by the way, applies to influenza as well. Which brings up
    another point: if you are worried about the COVID-19 virus, and still
    haven't yet gotten a flu shot, you are stupid and ignorant. Even in China,
    you are much, much more likely to get the flu than COVID-19. Even in China,
    the likelihood that the next person you meet will have COVID-19 is about
    .0001. (Probably somewhat less.) But if you go out into a crowd (if you
    can *find* a crowd in China these days), you are likely to encounter
    somebody with the flu. Having a flu shot probably doesn't reduce your risk
    of getting COVID-19, but it does reduce your risk of getting the flu. If
    you get the flu, then you may have to get tested for COVID-19, and that puts
    that much more demand on the system and resources.

    Wash your hands.

    If you haven't got a flu shot, get one.

    Don't panic buy, horde, or misuse masks and gloves. If you need them,
    you'll get them. (If other people haven't been panic buying and hoarding.)
    https://lite.cnn.com/en/article/h_cd175447b3f892d7adcb7c196b0b7316

    Now go wash your hands.

    ------------------------------

    Date: Wed, 26 Feb 2020 09:12:29 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Man who breached coronavirus stay-home notice stripped of
    Singapore PR status, barred from re-entry (The Straits Times)

    https://www.straitstimes.com/singap...-who-breached-stay-home-notice-stripped-of-pr

    Singapore prioritizes public health and civility. Unwise to violate these
    orders, especially in a time of elevate pandemic conditions.

    ------------------------------

    Date: Sun, 1 Mar 2020 09:38:17 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: How coronavirus turned the dystopian joke of FaceID masks into a
    reality (Technology Review)

    *Thousands ordered masks that let them unlock their phones during
    outbreaks. But this viral art project doesn't just work with surveillance
    technology -- it works against it, too.*

    EXCERPT:

    Two weeks ago, Danielle Baskin had an idea for a tongue-in-cheek art
    project. Now, she's suddenly big in China.

    While talking with friends about the coronavirus outbreak
    <https://www.technologyreview.com/s/615290/how-to-prepare-for-the-coronavirus-covid19/>,
    Baskin, an artist in San Francisco, realized that people using face masks to
    protect themselves from infection would have trouble unlocking phones that
    use facial recognition. (This has indeed been a problem
    <https://www.abacusnews.com/tech/fac...-wear-masks-avoid-coronavirus/article/3048006>.)
    She quickly created a prototype of a mask printed with a face -- not *your*
    face, but rather unique faces of imaginary people generated using artificial
    intelligence <https://www.thispersondoesnotexist.com/> -- and posted her
    idea on Twitter <>:
    ``Protect people from viral epidemics while still being able to unlock your
    phone.''

    The demand was immediate. Those interested in the idea include cancer
    patients who want to customize their masks, doctors who work in children's
    hospitals and don't want to scare kids -- and people in China. Her invention
    was picked up by Chinese media, and now her waiting list has over 2,000
    people on it, many of them with Chinese email accounts. And it's not just a
    request for one or two masks each: one potential customer requested 10,000
    masks. Eight people asked if they could be her distributor. Baskin won't be
    fulfilling these orders for a while -- there's a global mask shortage right
    now -- but the masks do work, as long as you set FaceID to recognize you when
    you're wearing it.

    ``I think these are so cool as a social object and art object,'' says
    Robert Furberg, a researcher who studies biometrics in health care. ``It's
    the fusion of something threatening and protective at the same time, and I
    just find that so compelling.'' He is one of those who reached out to
    Baskin; his wife is a nurse and has complained about the inconvenience of
    masks and FaceID. For him, the demand itself is a form of social commentary:
    ``It's just so 2020.''

    But while most people are simply concerned about being able to use their
    phones while wearing a mask, they may discover a surprising bonus. Baskin
    says there's an element of *anti*-surveillance built in. ``[The mask]
    appears to be working with facial recognition, but it will never actually be
    your face,'' she says. It's tricking the technology and protecting your
    biometric information: ``The image is something your friends could identify
    as you but that machine learning can't, and it shows that face recognition
    has errors.'' Art against surveillance

    Arty anti-surveillance devices and techniques have become more popular in
    recent years, from anti-facial-recognition face paint to an *invisibility
    cloak* <https://arxiv.org/abs/1910.14667> that can block object detectors;
    from the Adversarial Fashion line that confuses automated license plate
    readers
    <https://www.technologyreview.com/f/...ine-confuses-automated-license-plate-readers/>
    to the simple face masks that protesters in Hong Kong and India have used to
    hide their face from cameras. The media reports breathlessly
    <https://www.businessinsider.com/clo...e-visor-blocks-ais-ability-to-detect-a-face-6>
    on each advance, but for the most part, they are more political commentary
    than useful tactics for the average person
    <https://slate.com/technology/2019/08/facial-recognition-surveillance-fashion-hong-kong.html>.
    Those projects, in fact, might be less helpful if they went mainstream,
    because wide adoption could lead to an arms race that enables the invasive
    technology to route around defenses. [...]

    https://www.technologyreview.com/s/...ystopian-joke-of-faceid-masks-into-a-reality/

    ------------------------------

    Date: Tue, 3 Mar 2020 09:27:28 +0000
    From: paul cornish <paul.a...@googlemail.com>
    Subject: The Computer Says No! UCLA face recognition

    To counter the plans to use face recognition on campus 400 photos of staff
    and athletes were run through a facial recognition system (Amazon's)
    comparing to a mugshot database with the result that 58 of them were
    incorrectly matched. The majority of the incorrect matches were people of
    colour.

    https://www.fightforthefuture.org/n...ognition-surveillance-on-campus-ebe005e3f715/

    ------------------------------

    Date: Tue, 25 Feb 2020 10:39:58 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: AI baby monitors attract anxious parents: Fear is the quickest
    way to get people's attention (WashPost)

    https://www.washingtonpost.com/technology/2020/02/25/ai-baby-monitors/

    ``This style of technology could also follow babies beyond the crib. The
    electronics firm ViewSonic said last month that it was building a
    whiteboard-mounted 'mood sensing' device that could monitor students and
    alert teachers as to how engaged a class may be. The company's chief
    technology officer, Craig Scott, said in a statement that the system was
    still in early development but was being designed to 'improve class
    performance.'

    ``But this level of computer-aided surveillance, Brooks said, can also have
    a corrosive effect on parents' sense of self-worth and state of mind. The
    devices, she said, send the message that parents have failed if they don’t
    watch their baby at every turn.

    ``We have this mind-set, this mentality, that when kids are involved, we
    don’t have to be rational. Any risk mitigation is worth the cost we have to
    pay,'' Brooks said. But the system ``undermines parents' feelings of basic
    competence: that they can't trust themselves to take care of their babies
    without a piece of $500 equipment.''

    I'm feeling safer already: Cradle-to-grave surveillance built for a
    surveillance economy. This baby monitor stirs paranoia like "fluoride in
    childrens' ice cream." (Per General Jack D. Ripper of "Dr. Strangelove.")

    ------------------------------

    Date: Fri, 28 Feb 2020 18:15:55 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How North Korean Hackers Rob Banks Around the World (WIRED)

    They scored $80 million by tricking a network into routing funds to Sri
    Lanka and the Philippines and then using a *money mule* to pick up the cash.

    The bills are called supernotes. Their composition is three-quarters cotton
    and one-quarter linen paper, a challenging combination to produce. Tucked
    within each note are the requisite red and blue security fibers. The
    security stripe is exactly where it should be and, upon close inspection, so
    is the watermark. Ben Franklin's apprehensive look is perfect, and betrays
    no indication that the currency, supposedly worth one hundred dollars, is
    fake.

    Most systems designed to catch forgeries fail to detect the supernotes. The
    massive counterfeiting effort that produced these bills appears to have
    lasted decades. Many observers tie the fake bills to North Korea, and some
    even hold former leader Kim Jong-Il personally responsible, citing a
    supposed order he gave in the 1970s, early in his rise to power. Fake
    hundreds, he reasoned, would simultaneously give the regime much-needed hard
    currency and undermine the integrity of the US economy. The self-serving
    fraud was also an attempt at destabilization.

    https://www.wired.com/story/how-north-korea-robs-banks-around-world/

    ------------------------------

    Date: Sat, 22 Feb 2020 15:54:29 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fido Alliance gets backing from Apple to replace passwords
    (9to5Mac)

    The Fido Alliance, an organization committed to eliminating the need for
    passwords, received a big boost last week when Apple signed up as a board
    member. Fido stands for Fast IDentity Online.

    Apple apparently wasn't ready to announce its support immediately, as tweets
    from a Fido Alliance conference were quickly deleted, but as of today, the
    news is official.

    French site MacG spotted a now-deleted tweet that had a photo (below) of a
    conference slide showing the Apple logo and the text ‘New Board Member.'

    While that tweet didn't stay up for long, Apple has today been added to the
    official website as a board-level member, alongside such tech companies as
    Amazon, Arm, Facebook, Google, Intel, Microsoft, and Samsung. A number of
    big-name finance companies are also board members, including American
    Express, ING, Mastercard, Paypal, Visa, and Wells Fargo.

    https://9to5mac.com/2020/02/11/fido-alliance/

    ------------------------------

    Date: Sun, 23 Feb 2020 08:39:44 -0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: 911 operators couldn't trace the location of a dying
    student's phone. It's a growing issue. (WashPost)

    https://www.washingtonpost.com/health/2020/02/22/student-died-911-call-location/

    The case highlights issues that have plagued 911 phone systems across the
    country since the advent of smartphones. Cellphone privacy settings and
    outdated dispatch mapping systems continue to frustrate first responders
    when they can't find callers.

    Landline numbers are much easier for these systems to pinpoint. But over 80
    percent of the calls to the nation's 911 centers are from cellphones, The
    Washington Post has previously reported.

    The Federal Communications Commission has required cellphone carriers to
    improve the transfer of information to 911 centers. The carriers have until
    2021 to make sure transmitted locations are within 50 yards 80 percent of
    the time.

    Some injuries prevent precise location disclosure. Geolocation exactitude
    is a requirement for first-responder timeliness. There are cracks in the
    surveillance economy: a foreign registered cellphone, used domestically
    (in the US, for now at least), does not possess a locally resolvable name
    or resident address.

    ------------------------------

    Date: Wed, 26 Feb 2020 11:45:43 -0500 (EST)
    From: ACM TechNews <technew...@acm.org>
    Subject: Rice University Boosts 'Internet of Things' Security -- Again

    Mike Williams, Rice University, 18 Feb 2020

    Researchers at Rice University have developed a technique to improve
    security for Internet of Things (IoT) devices significantly, while using far
    less energy. The new technique is a hardware solution based on the power
    management circuitry found in most central processing chips. The method
    leverages power regulators to muddle information leaked by the power
    consumption of encryption circuits. A breakthrough last year by the team
    generated paired security keys based on fingerprint-like defects unique to
    every computer chip. ``This year, the story is similar, but we are not
    generating keys,'' said Rice's Kaiyuan Yang. ``We are looking at defending
    against a new type of attack that is specifically for IoT and mobile
    systems.''
    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-240c1x220a09x070995&

    ------------------------------

    Date: Mon, 2 Mar 2020 21:46:08 -0500
    From: Chuck Weinstock <wein...@conjelco.com>
    Subject: Startup's Stock Trading App experiences a day-long outage on one of
    the busiest trading days of the year (Tech Crunch)

    Quoting in pa rt from TechCrunch:
    https://techcrunch.com/2020/03/02/r...he-dow-enjoyed-its-single-biggest-point-gain/
    <https://techcrunch.com/2020/03/02/r...he-dow-enjoyed-its-single-biggest-point-gain/>

    Robinhood, the startup with a stock trading app ..., suffered one of its
    worst outages on one of the busiest trading days of the year.

    As the Dow Jones Industrial Average enjoyed the single biggest point-gain in
    the history of the index, Robinhood's application fell prey to an error that
    locked users out of the service for the duration of Monday's trading.

    One potential cause of the outages could just be the high trading volumes
    that have accompanied highly volatile markets over the past month. While
    there were some early reports that the bug was caused by a Leap Day bug, the
    company has denied that a February 29th error was at fault.

    The company's mistake could cost its users lots of money as they sought to
    trade on stocks that were hit in last week's string of losses due to
    investor worries over the impact the novel coronavirus, COVID-19, would have
    on the global economy.

    The company said ``We don't have an estimate when the issue will be resolved
    but all of us at Robinhood are working as hard as we can to resume
    service.''

    I became aware of this because of a friend who had successfully bet (via
    options), last week, that the market would go down significantly over virus
    fears. When he went to sell his options today he could not because of the
    Robinhood failure. I do not want to make light of his pain, but it would be
    ironic if he suffered this loss because of a virus.

    [See also
    https://gizmodo.com/stock-trading-app-robinhood-experiences-widespread-outa-1842042516
    ]

    ------------------------------

    Date: Wed, 26 Feb 2020 09:04:55 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Government-Run Energy Company Keeps Reeling in the Same Employees
    in Phishing Training (nextgov.com)

    https://www.nextgov.com/cybersecuri...ling-same-employees-phishing-training/163323/

    Personal accountability for failure to prevent phishing assault is a common
    problem in industry, government, and non-profit organizations.

    Employment laws prevent penalties: demotion, fines, dismissal for cause
    though the brand outrage arising from these incidents can be severe.

    The essay raises important questions about *repeat offenders* -- those
    individuals who neglect to practice IT hygiene for lack of competence,
    professionalism, or incautious actions.

    Given that phishing is unlikely to decay in frequency, education appears to
    be the only means to suppress it. If the CEO activates a phished assault,
    the mess gets cleaned up and communication lockdown is enforced -- until it
    leaks to the press. If general slave #6 initiates it, what do most
    organizations do? Promote the individual?

    Risk: Weak organizational deterrence against IT threats.

    ------------------------------

    Date: Wed, 26 Feb 2020 20:48:46 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Clearview AI has billions of our photos. Its entire client list was
    just stolen (CNN Business)

    Clearview AI, a startup that compiles billions of photos for facial
    recognition technology, said it lost its entire client list to hackers. The
    company said it has patched the unspecified flaw that allowed the breach to
    happen.

    In a statement, Clearview AI's attorney Tor Ekeland said that while security
    is the company's top priority, ``Unfortunately, data breaches are a part of
    life. Our servers were never accessed.'' He added that the company continues
    to strengthen its security procedures and that the flaw has been patched.

    Clearview AI continues ``to work to strengthen our security,'' Ekeland said.

    https://www.cnn.com/2020/02/26/tech/clearview-ai-hack/index.html

    Too late, maybe?

    ------------------------------

    Date: Thu, 27 Feb 2020 00:06:39 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Afraid of the Thirteenth Floor? Superstition and Real Estate,
    Part 2 (Skeptical Inquirer)

    The author writes:

    In my January column, I described the influence of feng shui on the Chinese
    real estate market. Although it would be hard to match the pervasive
    influence of traditional Chinese superstition in real estate and other areas
    of commerce, the Chinese are not alone. One of the most interesting survey
    results I've ever come across is a 2007 Gallup poll that showed 13 percent
    of American adults would be bothered if given a hotel room on the thirteenth
    floor (Carroll 2007). Thirteen percent. Furthermore, nine percent of
    respondents said they would be bothered enough to ask for a different
    room. As is the case for many traditional superstitions, the majority of
    those who said they would be bothered were women.
    https://news.gallup.com/poll/26887/thirteen-percent-americans-bothered-stay-hotels-13th-floor.aspx
    https://skepticalinquirer.org/exclu...th-floor-superstition-and-real-estate-part-2/

    The risk? At best (and not very good):

    We're hard-wired to connect dots. When Thing 1 happens, and then Thing 2
    happens, we humans are very likely to conclude that Thing 1 caused Thing 2,
    even if they're completely unrelated; it's a phenomenon psychologists call
    the *illusion of causality*.
    <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4488611/>

    https://www.washingtonpost.com/life...dd8534-54a8-11ea-9e47-59804be1dcfb_story.html

    ------------------------------

    Date: Thu, 27 Feb 2020 12:29:32 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hilton drags corporate feet, minimizes disclosing personal data
    held

    From a friend... I guess Virginians lose. For those image-challenged,
    Hilton offers, ``Some regional, national, state laws confer certain rights
    relating to personal data.'' But answers request from Virginia, ``We're
    sorry! Only certain states afford rights relating to personal data to their
    residents.''

    ------------------------------

    Date: Fri, 28 Feb 2020 00:18:12 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How a Hacker's Mom Broke Into a Prison -- and the Warden's Computer
    (WiReD)

    Security analyst John Strand had a contract to test a correctional
    facility's defenses. He sent the best person for the job: his mother.

    https://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/

    The risk? Mom.

    ------------------------------

    Date: Tue, 25 Feb 2020 19:45:38 -0500
    From: David Lesher <wb8...@panix.com>
    Subject: Old RISKS risks are still in vogue

    No backups; open and under appeal cases affected: ``The computer did it!''

    <https://www.wxyz.com/news/local-new...ed-from-the-wayne-co-medical-examiners-office>

    ------------------------------

    Date: Sat, 29 Feb 2020 01:30:54 -0500 (EST)
    From: Mark Brader <msb@Vex.Net>
    Subject: Risks of Leap Years and Dumb Digital Watches

    All right now, how many people reading this:

    [1] saw a previous version of this message in RISKS-6.34, 13.21, 17.81,
    20.83, 23.24, 25.07, 26.75, and/or 29.30;

    [2] still wear a wristwatch instead of using a cellphone or something
    as a pocket watch;

    [3] have the kind that needs to be set back a day because (unlike the
    smarter types that track the year or receive information from
    external sources) it went directly from February 28 to March 1;

    and

    [4] *hadn't realized it yet*?

    Personally, I realized about 20 minutes ago, and am going to set it back now.

    [Leap Year and Mark Brader Strike Again. PGN]

    ------------------------------

    Date: Mon, 24 Feb 2020 04:58:18 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: TikTok Challenges, Ranked by How Likely They Are to Maim or Kill
    You (Vice)

    The *skull breaker* challenge is, somehow, not even the most terrifying
    thing happening on this app.

    https://www.vice.com/en_us/article/...llenges-skullbreaker-cha-cha-slide-bright-eye

    ------------------------------

    Date: Mon, 24 Feb 2020 09:04:30 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Algorithm Targets Marijuana Convictions Eligible To Be Cleared
    (npr.org)



    ``Code for America saw an opportunity: To help clear the backlog of some
    220,000 cases, the organization developed an algorithm to identify which
    residents qualify to have their records cleared or reduced. Now, district
    attorneys across the state are crediting the group with expediting an
    otherwise slow and tedious process.''

    Mass exoneration or mass incarceration. Batch processing saves individual
    adjudication costs. Trust that the algorithm doesn't *overlook an innocent
    case. Data fallout/dropout is a common occurrence in big business. This
    situation certainly exemplifies the situation. Albeit, it is one-off usage.

    Risk: Mass exoneration by algorithmic fiat.

    ------------------------------

    Date: Mon, 24 Feb 2020 17:59:07 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Would you eat a 'steak' printed by robots? (bbc.com)



    Would the personnel that trained or coded the robot that manufactures the
    steak, and their families, consume it for a few months before the public
    bought it? Can a 3D steak printing robot offer a bias-free taste-test
    opinion? Will it always answer, ``What's the beef about the printed beef?''

    Risk: Sanitation, nutrition, and safety of 3D printed foods and components
    sold for human consumption.

    ------------------------------

    Date: Mon, 24 Feb 2020 23:40:12 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: 'They lied to us': Mom says police deceived her to get her DNA
    and charge her son with murder

    A murder case raises the question: Is it OK for police to lie to get an
    innocent person's DNA?

    https://www.nbcnews.com/news/us-news/they-lied-us-mom-says-police-deceived-her-get-her-n1140696

    ------------------------------

    Date: Tue, 25 Feb 2020 07:08:26 -0700
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Taxes are expected to rise in Taunton, MA after an assessing tech
    snafu (Christopher Gavin)

    Christopher Gavin, *The Boston Globe*, 24 Feb 2020
    https://www.boston.com/news/local-news/2020/02/24/error-taxes-taunton

    A seemingly small line error has created a major problem for Taunton's
    assessors — and it's going to cost taxpayers. Officials were forced to
    essentially reboot their billing process after a software upgrade meant
    that local public school property was added to the list of taxable
    properties, they say.

    The snafu came when the non-profit Head Start building, adjacent to
    Taunton High School, was added to the system as a taxable property, which
    generated invoices for all of the school buildings at the site, Assessor
    Richard Conti told the City Council last week.

    The assessed value of Taunton's commercial and industrial properties shot
    up by $136,846,200, at least on paper. The school property was then logged
    as being on the hook for $4.2 million in taxes for what is nontaxable
    property, Conti said.

    The oversight was only caught when the school superintendent sent the
    bills back to the assessor's office. ``This all happened as a result of a
    perfect storm of errors that went into sequence that no one has ever
    experienced before,'' Conti said during the Feb. 18 meeting. ``This
    happened in a manner that none of our peers, none of the people in the
    Department of Revenue would have caught because of the software.''

    ------------------------------

    Date: Tue, 25 Feb 2020 15:46:51 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Pets 'go hungry' after smart feeder goes offline (bbc.com)

    https://www.bbc.com/news/technology-51628795

    A pet-sitter's career remains safe from redundancy as long as Internet-based
    pet feeders are purchased.

    ------------------------------

    Date: Mon, 02 Mar 2020 06:53:30 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Emissions possible: Streaming music swells carbon footprints
    (Al Jazeera)

    Watching films and listening to music online produces more greenhouse
    gas emissions than many realise.
    https://www.aljazeera.com/ajimpact/...t-streaming-music-videos-200221220408755.html

    ------------------------------

    Date: Wed, 26 Feb 2020 14:40:30 +0000
    From: John Stockton <dr.j.r...@gmail.com>
    Subject: Re: Linux is ready for the end of time (ZDNet, RISKS-31.58)

    Large error!!!

    Risks Digest has correctly quoted the ZDNet article, which says that 64-bit
    Linux runs out of seconds in the year 29,227,702,659.

    But I believed that we have about ten times longer to wait, and that the
    true S2^63 instant is about AD 292,277,026,596-12-04 Sun 15:30:08 GMT
    (Gregorian) .

    I find that, by Firefox JavaScript and by Windows Calculator, that
    (2^63)/(60*60*24*365.2425) + 1970 is 292277026596.9277 , to 4 decimal
    places.

    ZDNet dropped the final 6 of the year count.

    But I now see that my date/time above, which the ZDNet author might have
    seen a copy of, cannot be quite right; 1970 and ...6596 are manifestly in
    different phases of the 400-year cycle of the secular Gregorian Calendar,
    and therefore the value 365.2425 is not precisely suitable.

    The moral is that a reader should, whenever possible, check any printed
    figure to see whether it is, at least, perhaps right.

    ------------------------------

    Date: Sat, 22 Feb 2020 17:00:13 -0600
    From: "Craig S. Cottingham" <craig.c...@gmail.com>
    Subject: Re: Mysterious GPS outages are wracking the shipping industry
    (Fortune, RISKS-31.59)

    Is basic maritime navigation no longer taught to merchant crew? I've never
    navigated in open water, but I still know some of the basics, like how to
    read a compass, to leave green navigation markers to port and red to
    starboard, etc.

    As far as other vessels go, they should be clearly marked and lit —- red
    light on the port side, green on the starboard, white light on the stern and
    I believe at the top of the mast, and the *rules of the road* clearly state
    to which side you should leave the other vessel if your courses appear to
    intersect. Calling out *NATO and Russian warships* specifically is a form of
    scare words -- they should be marked and lit like any other vessel, unless
    operating under wartime conditions, in which case it's incumbent on *them*
    to avoid collisions.

    I'm not saying that losing your GPS-based navigation is trivial, but any
    ocean-going vessel and its crew should already be equipped to at least have
    a reasonable chance of avoiding a navigation-related catastrophe.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.60
    ************************
     
  13. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.61

    RISKS List Owner

    Mar 15, 2020 10:20 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Sunday 15 March 2020 Volume 31 : Issue 61

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [WAY BACKLOGGED!!!]
    A lawsuit against ICE reveals the danger of government-by-algorithm
    (WashPost)
    This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years
    (PTSecurity)
    How the Cloud Has Opened Doors for Hackers (WashPost)
    Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys (WiReD)
    Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich
    (The New York Times)
    How Hackers and Spies Could Sabotage the Coronavirus Fight
    (Bruce Schneier and Margaret Bourdeaux, Foreign Policy)
    Cybersecurity label for smart home devices (The Straits Times)
    South Korea warns when potential virus carriers are near (BBC)
    COVID-19, toilet paper, hoarding, and emergency preparedness (Rob Slade)
    U.S. Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus
    Group (Treasury via geoff goodfellow)
    Black Market White Washing- Why You Shouldn't Take Legal Advice From
    Criminals (Disruptive Labs)
    Can YouTube Quiet Its Conspiracy Theorists? (NYTimes)
    Risks of publishing web browser screenshots (MarketWatch)
    China's Geely invests $326M to build satellites for autonomous cars
    (Reuters)
    Congress Must Stop the Graham-Blumenthal Anti-Security Bill (Gabe Goldberg)
    Empty Promises Won't Save the .ORG Takeover (EFF)
    How to clean up the mess we've made that's orbiting the Earth (The Hill)
    How fake audio, such as deepfakes, could plague business, politics
    (Bakersfield)
    Ransomware Attacks Prompt Tough Question for Local Officials:: To Pay or
    Not to Pay? (Pew)
    Through apps, not warrants, Locate X allows federal law enforcement to track
    phones (Protocol)
    A hybrid AI model lets it reason about the world's physics like a child
    (MIT Tech Review)
    This Satellite Startup Raised $110 Million To Make Your Cellphone Work
    Everywhere (Forbes)
    Your smartphone is dirtier than a toilet seat. Here's how to disinfect it.
    (Mashable)
    PCI Fireside Chat: Vint Cerf and Ian Bremmer (The Unstable Globe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 6 Mar 2020 15:07:46 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A lawsuit against ICE reveals the danger of
    government-by-algorithm (The Washington Post)

    https://www.washingtonpost.com/outl...t-ice-reveals-danger-government-by-algorithm/

    ``The immigration agency's New York office tweaked risk-evaluation software
    to keep thousands in jail, watchdog groups say.''

    ------------------------------

    Date: Fri, 6 Mar 2020 11:45:14 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years
    (PTSecurity)

    All Intel processors released in the past 5 years contain an unpatchable
    vulnerability that could allow hackers to compromise almost every
    hardware-enabled security technology that are otherwise designed to shield
    sensitive data of users even when a system gets compromised.

    The vulnerability, tracked as CVE-2019-0090, resides in the hard-coded
    firmware running on the ROM (read-only memory) of the Intel's Converged
    Security and Management Engine (CSME), which can't be patched without
    replacing the silicon.

    Intel CSME is a separate security micro-controller incorporated into the
    processors that provides an isolated execution environment protected from
    the host opening system running on the main CPU.

    It is responsible for the initial authentication of Intel-based systems by
    loading and verifying firmware components, root of trust based secure boot,
    and also cryptographically authenticates the BIOS, Microsoft System Guard,
    BitLocker, and other security features.

    Although this insufficient access control vulnerability is not new and was
    previously patched by Intel last year when the company described it just as
    a privilege escalation and arbitrary code execution in Intel CSME firmware
    modules, the extent of the flaw remained undervalued.

    Researchers at Positive Technologies have now found that the issue can also
    be exploited to recover the Chipset Key, a root cryptographic key or sort of
    a master password that could help unlock and compromise a chain of trust for
    other security technologies, including digital rights management (DRM),
    firmware Trusted Platform Module (TPM), and Identity Protection Technology
    (IPT).
    <Positive Technologies - learn and secure : Intel x86 Root of Trust: loss of trust>

    That means the flaw could be exploited to extract data from encrypted
    hard-drives and to bypass DRM protections and access copyright-protected
    digital content. [...]

    This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years

    ------------------------------

    Date: Wed, 4 Mar 2020 11:53:53 -0500 (EST)
    From: ACM TechNews <technew...@acm.org>
    Subject: How the Cloud Has Opened Doors for Hackers (WashPost)

    Craig S. Smith, *The Washington Post*, 2 Mar 2020
    via ACM TechNews; Wednesday, March 4, 2020

    Corporate transfers of operations to the cloud have elevated the threat of
    hacking, as the cloud can be accessed remotely with ease. Manav Mital,
    co-founder of cloud security startup Cryal, said cloud companies manage the
    upkeep and security of physical servers, but client requirements for ease of
    access have spawned new apps and databases, and increasingly complex
    services that are difficult to manage and monitor. Although companies still
    shield private data behind firewalls and other security measures, more
    people and programs require access to data in the cloud, making it easier
    for bad actors to find potential vulnerabilities. The Ponemon Institute
    estimated that cloud breaches cost each individual company $3.92 million on
    average.
    https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-24260x220c61x069057&

    ------------------------------

    Date: Fri, 6 Mar 2020 11:19:24 -0500
    From: Gabe Goldberg <ggol...@apcug.org>
    Subject: Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys (WiReD)

    Encryption flaws in a common anti-theft feature expose vehicles from major
    manufacturers.

    Even so, the researchers say that they decided to publish their findings to
    reveal the real state of immobilizer security and allow car owners to decide
    for themselves if it's enough. Protective car owners with hackable
    immobilizers might decide, for instance, to use a steering wheel lock.
    ``It's better to be in a place where we know what kind of security we're
    getting from our security devices. Otherwise, only the criminals know.''
    [Garcia quoted]

    Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

    That paragraph -- last in article -- is ridiculous. I once put steering
    wheel lock on a borrowed car, then realized owner hadn't given me key for
    it. Locksmith took about two minutes to pick the lock -- not needing to cut
    it off -- saying that with practice anyone can do that.

    ------------------------------

    Date: Fri, 6 Mar 2020 11:39:15 -0500
    From: Gabe Goldberg <ggol...@apcug.org>
    Subject: Before Clearview Became a Police Tool, It Was a Secret
    Plaything of the Rich (The New York Times)

    Investors and clients of the facial recognition start-up freely used the
    app on dates and at parties °ТРТ and to spy on the public.

    https://www.nytimes.com/2020/03/05/technology/clearview-investors.html

    ------------------------------

    Date: Fri, 06 Mar 2020 17:57:30 +0100
    From: "Diego.Latella" <diego....@isti.cnr.it>
    Subject: How Hackers and Spies Could Sabotage the Coronavirus Fight
    (Bruce Schneier and Margaret Bourdeaux, Foreign Policy)

    https://foreignpolicy.com/2020/02/28/hackers-spies-coronavirus-espionage/

    ------------------------------

    Date: Fri, 6 Mar 2020 15:23:10 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Cybersecurity label for smart home devices (The Straits Times)

    https://www.straitstimes.com/singapore/cyber-security-label-for-smart-home-devices

    ``Market research firm Gartner has estimated that the number of IoT devices
    in use globally will grow from 8.4 billion in 2017 to 20.4 billion this
    year, with twice as many consumer installations as industrial ones. But the
    rules surrounding how IoT devices are designed for cybersecurity are lax,
    raising concerns about major privacy and security risks as such devices
    proliferate.''

    The `cybersecurity' label might grow larger than the device package. When,
    or if, it does switch to an alternate rating indicator: 'Stars' or
    'Smileys'?

    There's always `human error' when testing for product release readiness
    characteristics: performance, reliability, function, ease of use, or device
    security/safety for example. Latent defect escape potential elevates
    deployment exploitation risk.

    What about correlating IoT software (or hardware) component integration
    against CVEs (https://cve.mitre.org/), and using this outcome to establish a
    `security' or `defect' escape risk rating? Given their perfect operational
    record, a HAL-9000 would be ideal for this exercise.

    Risk: Inaccurate `cybersecurity label' indicators misguide consumer IoT
    product purchase decisions.

    ------------------------------

    Date: Thu, 5 Mar 2020 11:42:24 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: South Korea warns when potential virus carriers are near (BBC)

    And where they've been, like bars, love motels, etc. Deanonymization of the
    data is sometimes a trivial exercise for social media users.



    ``He was at his work in Mapo district attending a sexual harassment class. He
    contracted the virus from the instructor of the class.''

    ------------------------------

    Date: Fri, 6 Mar 2020 11:55:31 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: COVID-19, toilet paper, hoarding, and emergency preparedness

    Toilet paper? *Really*?

    Of course, I've seen the news stories showing streams of shoppers with carts
    full of toilet paper. The news stories all showed Costco, so I was hoping
    that maybe it was only Costco members who were that stupid. But, no. On my
    way home last night I stopped for some groceries and the toilet paper aisle
    in my local Save-On was pretty bare. (Not, fortunately, completely denuded,
    so my neighbours aren't completely deluded.) (And, if you're looking, the
    Safeway had a decent stock, albeit with some bare sections.)

    Hoarding is a particularly insidious threat. It's hard to protect against.
    Unless you're going to ration, how do you tell people what (and how much)
    they can and cannot buy? (Yes, I know. Rationing smacks of socialism, or
    some other type of non-or-anti-capitalist system. But hoarding is the
    inherent weakness of capitalism: unrestricted, capitalism tends to
    concentrate capital, which then becomes useless.) Now, we are not only
    faced with the coronavirus, but with the COVID-19 toilet paper meme virus.
    People see that there is a run on, or shortage of, toilet paper, so they run
    out and drive around (wasting gas) trying to buy toilet paper. Creating a
    shortage of toilet paper.

    (It's particularly galling here in BC. We have trees. We make toilet
    paper. By the ton.)

    Why toilet paper? I mean, I defer to no one in my admiration for the stuff.
    It is one of the marvels of the modern age. (Toilet paper, and the
    Internet.) It has lots of uses besides that originally intended. But it
    has no magical medicinal properties.

    Yes, I know. We, in the emergency management field, have been trying, for
    years, to get people to build emergency prep kids. Have enough supplies to
    tide you over for three days. Or seven days. Or, in this case, two weeks.
    Fine. I get it. But do you know how much toilet paper you use in two
    weeks? You don't need to clear out stores.

    (I have noticed gaps in the canned beans section, and also in the soup
    aisle. Although, for some reason, Campbell's Chunky soups are completely
    stocked. Personally, I *like* chunky soups ...)

    And, if you are going to build an emergency prep kit, *during* an emergency
    is not the time to do it. You have to put some thought into it. How much
    toilet paper do you use in a week? How much soup do you eat in a week?
    *Do* you eat soup? Yes, I advise you to build an emergency prep kit. But
    *build* one. Don't just rush out and buy toilet paper.

    Besides, COVID-19 is not going to be the type of `stock up on water and
    canned beans' type of regional disaster. You will still be able to get
    Amazon to deliver toilet paper to you if you get sick and have absolutely no
    friends in all the world to take care of you. (They may want to drop it and
    run, and you may have to keep watch on your Ring-camera-that-is-insecure-
    because-you-haven't-changed-the-default-password-have-you to prevent
    doorstep thieves from stealing your toilet paper, but they will deliver.)
    (So, by the way, will Save-On.) Travel is going to be a problem, and stocks
    may be a problem, and there may be lots of other problems. But toilet paper
    is not going to be a problem. Unless people hoard it.

    ------------------------------

    Date: Tue, 3 Mar 2020 13:36:10 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: U.S. Treasury Sanctions Individuals Laundering Cryptocurrency for
    Lazarus Group

    EXCERPT:

    The U.S. Department of the Treasury's Office of Foreign Assets Control
    (OFAC) today sanctioned two Chinese nationals involved in laundering stolen
    cryptocurrency from a 2018 cyber-intrusion against a cryptocurrency
    exchange. This cyber-intrusion is linked to Lazarus Group, a U.S.-designated
    North Korean state-sponsored malicious cybergroup. Specifically, OFAC is
    designating Tian Yinyin (Tian) and Li Jiadong (Li), for having materially
    assisted, sponsored, or provided financial, material, or technological
    support for, or goods or services to or in support of, a malicious
    cyber-enabled activity. Tian and Li are also being designated for having
    materially assisted, sponsored or provided financial, material, or
    technological support for, or goods or services to or in support of, Lazarus
    Group.

    ``The North Korean regime has continued its widespread campaign of extensive
    cyber-attacks on financial institutions to steal funds. The United States
    will continue to protect the global financial system by holding accountable
    those who help North Korea engage in cybercrime.'' (Secretary Steven
    T. Mnuchin)

    *Tian and Li's Activities*

    The Democratic People's Republic of Korea (DPRK) trains cyber-actors to
    target and launder stolen funds from financial institutions. Tian and Li
    received from DPRK-controlled accounts approximately $91 million stolen in
    an April 2018 hack of a cryptocurrency exchange (referred to hereinafter as
    *the exchange*D), as well as an additional $9.5 million from a hack of
    another exchange. Tian and Li transferred the currency among addresses they
    held, obfuscating the origin of the funds.

    In April 2018, an employee of the exchange unwittingly downloaded
    DPRK-attributed malware through an email, which gave malicious cyber-actors
    remote access to the exchange and unauthorized access to customers' personal
    information, such as private keys used to access virtual currency wallets
    stored on the exchange's servers. Lazarus Group cyber-actors used the
    private keys to steal virtual currencies ($250 million dollar equivalent at
    date of theft) from this exchange, accounting for nearly half of the DPRK's
    estimated virtual currency heists that year.

    Tian ultimately moved the equivalent of more than $34 million of these
    illicit funds through a newly added bank account linked to his exchange
    account. Tian also transferred nearly $1.4 million dollars' worth of
    Bitcoin into prepaid Apple iTunes gift cards, which at certain exchanges
    can be used for the purchase of additional Bitcoin. [...]

    https://home.treasury.gov/news/press-releases/sm924

    ------------------------------

    Date: Tue, 3 Mar 2020 13:35:36 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Black Market White Washing- Why You Shouldn't Take Legal
    Advice From Criminals (Disruptive Labs)

    Fraudsters who operate shops in criminal marketplaces are constantly
    massaging their marketing pitches to assure prospective customers (and
    lurking law enforcement) that their service is legal. It's become clear
    recently that some infosec professionals can't seem to identify these
    services as bad, so these marketing efforts may have succeeded for one
    audience.

    That is what happened recently when WeLeakInfo was taken down and a number
    of infosec people expressed shock and dismay that their favorite OSINT tool
    was gone. This isn't the first time a password shop was taken down, but this
    one was unusually successful at whitewashing its origins in fraud and,
    disturbingly, some professionals seemed either unaware of this or did not
    care. Some even recommended the site, or a competitor, to their industry
    peers. Those professionals risk financing the same criminal gangs they are
    paid to stop.

    A number of other cybercrime tools have attempted to make their way into
    mainstream use, with mixed success.

    DDOS-FOR-HIRE AND THE TOS FIGLEAF

    One example is *booter* AKA *network stresser* services. These services were
    sold on criminal marketplaces as a way to knock video game opponents offline
    with DDoS attacks. Despite a business model obviously centered around abuse
    -- shown both in advertisements and target demographic, booter owners
    believed they had an ace up their sleeve. Their ToS informed users that the
    booter was ``for legal purposes only'', as a sort of legal figleaf. Under
    this speculative legal theory which was copied by nearly every vendor,
    booter owners assured their customers that the service was entirely legal
    and safe to use.

    To quote the FBI in a 2018 indictment against a booter service named
    *Downthem*. [...]

    https://labs.unit221b.com/2020/03/03/black-market/

    ------------------------------

    Date: Wed, 4 Mar 2020 11:53:53 -0500 (EST)
    From: ACM TechNews <technew...@acm.org>
    Subject: Can YouTube Quiet Its Conspiracy Theorists? (NYTimes)

    Jack Nicas, *The New York Times*, 2 Mar 2020
    via ACM TechNews; Wednesday, March 4, 2020

    University of California, Berkeley (UC Berkeley) researchers found that
    while YouTube has reduced how often its algorithm recommends conspiracy
    theory-related videos, its progress in dealing with conspiracy theories has
    been uneven, and the service still promotes certain types of fictional
    stories. The study examined 8 million recommendations by the video-sharing
    platform over a 15-month period and found that while YouTube has almost
    completely removed some conspiracy theories from its recommendations, other
    falsehoods continue to flourish. Said UC Berkeley's Hany Farid, ``It is a
    technological problem, but it is really at the end of the day also a policy
    problem. ... If you have the ability to essentially drive some of the
    particularly problematic content close to zero, well then you can do more on
    lots of things.''
    https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-24260x220c68x069057&

    ------------------------------

    Date: Thu, 5 Mar 2020 13:39:53 -0500
    From: David Tarabar <dtar...@acm.org>
    Subject: Risks of publishing web browser screenshots (MarketWatch)

    A Fox News analyst posted a web browser screenshot on Twitter. The
    screenshot displayed the intended political info. It also displayed browser
    tabs of websites that had been previously visited - including
    *Sexy Vixen Vinyl*.

    https://www.marketwatch.com/story/fox-news-analyst-brit-humes-morning-inter=
    net-session-politics-stock-market-coronavirus-and-uh-sexy-vixen-vinyl-2020-=
    03-03


    ------------------------------

    Date: Tue, 3 Mar 2020 13:38:06 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: China's Geely invests $326M to build satellites for autonomous
    cars (Reuters)

    China's Zhejiang Geely Holding Group said on Tuesday it was investing 2.27
    billion yuan ($326 million) in a new satellite manufacturing plant, where it
    plans to build low-orbit satellites to provide more accurate data for
    self-driving cars.

    Geely, one of China's most internationally-known companies due to its
    investments in Daimler, Volvo and Proton, is building the facilities in
    Taizhou, where it has car plants. *It aims to produce 500 satellites a year
    by around 2025*, with around 300 highly-skilled staff, it said in a
    statement.

    Geely's technology development arm, Geely Technology Group, launched
    Geespace to research, launch, and operate low-orbit satellites in 2018.
    [...]

    https://www.reuters.com/article/gee...-satellites-for-autonomous-cars-idUSL4N2AV45H

    ------------------------------

    Date: Wed, 04 Mar 2020 04:58:21 +0000 (UTC)
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Congress Must Stop the Graham-Blumenthal Anti-Security Bill

    There's a new and serious threat to both free speech and security
    online. Under a draft bill that Bloomberg recently leaked, the Attorney
    General could unilaterally dictate how online platforms and services must
    operate. If those companies don't follow the Attorney General's rules, they
    could be on the hook for millions of dollars in civil damages and even state
    criminal penalties.

    The bill, known as the Eliminating Abusive and Rampant Neglect of
    Interactive Technologies (EARN IT) Act, grants sweeping powers to the
    Executive Branch. It opens the door for the government to require new
    measures to screen users' speech and even backdoors to read your private
    communications -- a stated goal of one of the bill's authors.

    Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) have been
    quietly circulating a draft version of EARN IT. Congress must forcefully
    reject this dangerous bill before it is introduced.

    https://u15235517.ct.sendgrid.net/

    ------------------------------


    Date: Wed, 04 Mar 2020 04:57:29 +0000 (UTC)
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Empty Promises Won't Save the .ORG Takeover
    (Electronic Frontier Foundation)

    The Internet Society's (ISOC) November announcement that it intended to sell
    the Public Interest Registry (PIR, the organization that oversees the .ORG
    domain name registry) to a private equity firm sent shockwaves through the
    global NGO sector. The announcement came just after a change to the .ORG
    registry agreement -- the agreement that outlines how the registry operator
    must run the domain - that gives PIR significantly more power to raise
    registration fees and implement new measures to censor organizations'
    speech.

    It didn't take long for the global NGO sector to put two and two together:
    take a new agreement that gives the registry owner power to hurt NGOs;
    combine it with a new owner whose primary obligation is to its investors,
    not its users; and you have a recipe for danger for nonprofits and NGOs all
    over the world that rely on .ORG. Since November, over 800 organizations and
    24,000 individuals from all over the world have signed an open letter urging
    ISOC to stop the sale of PIR. Members of Congress, UN Special Rapporteurs,
    and US state charity regulators [pdf] have raised warning flags about the
    sale.

    ------------------------------

    Date: Tue, 3 Mar 2020 13:39:08 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: How to clean up the mess we've made that's orbiting the Earth
    (The Hill)

    *One company is building a space garbage truck. But experts say it will take
    more than that to rid our outer atmosphere of decades of floating debris.*

    We've been shooting large metal objects into space since 1957. Satellites,
    rockets, space stations, missiles. So it's no wonder that a garbage truck is
    set to launch in 2025 to start cleaning up the mess.

    The pioneering ClearSpace <https://clearspace.today/> device is designed to
    locate, capture and remove large items that threaten to crash into the
    satellites orbiting the planet. The problem, experts say, is that there's
    probably more than 34,000 pieces of space junk larger that 10 centimeters --
    and all of it is a hazard.
    <https://www.esa.int/Safety_Security/Space_Debris/Space_debris_by_the_numbers>

    Orbiting at 17,000 miles per hour, these bits of metal can pierce anything
    they hit with the velocity of a bullet.

    Sure, there's a lot of space in space. Our atmosphere starts at about 62
    miles above sea level and items can continue orbiting as high as 150 miles.
    But experts agree that we must think ahead. Every year, countries and
    private companies launch a steadily increasing number of satellites and
    other equipment skyward on a collective arsenal of more than 100 rockets
    every year. [...]
    https://thehill.com/changing-americ...6-how-do-you-take-out-the-trash-when-youre-in

    ------------------------------

    Date: Wed, 4 Mar 2020 10:21:58 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: How fake audio, such as deepfakes, could plague business, politics
    (Bakersfield)

    Fake voices generated by artificial intelligence tools may be the next
    frontier in scams that could trick companies into forking over cash or fool
    voters into believing a politician said something he or she didn't.

    Computer-synthesized voices are not new. Anyone familiar with Amazon's Echo
    and Google's Home devices, or Apple's Siri, already knows the soothing
    female voice that answers queries.

    But that same technology can be adapted for devious means, said Vijay
    Balasubramaniyan, co-founder and CEO of Pindrop, a technology company that
    uses machine-learning techniques to identify voice fraud.

    Criminals can use publicly available video and audio of top corporate
    executives to analyze and create a fake voice of a CEO and use that in
    combination with an email hack to trick the company's executives into
    sending money. Or they can apply similar tactics to make politicians appear
    to say something they never did.

    At a brief demonstration during the RSA Conference in San Francisco,
    Balasubramaniyan logged on to a secure company computer network that held
    artificial intelligence algorithms able to analyze publicly available
    YouTube video and audio of major political and business leaders and produce
    a voice file of a person saying something they had never uttered.

    Balasubramaniyan chose President Donald Trump from a drop-down menu and
    typed in the words ``This morning American forces gave North Korea the
    bloody nose they deserve.'' into a box and hit enter. [...]
    https://www.bakersfield.com/ap/news...cle_bc6b7a55-8a15-57df-90d2-5352d3980b00.html

    ------------------------------

    Date: Thu, 5 Mar 2020 12:25:16 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Ransomware Attacks Prompt Tough Question for Local Officials: To
    Pay or Not to Pay? (Pew)

    When cybercriminals struck Lake City, Florida, last June, city officials had
    to make a tough choice: Pay the hackers or restore systems on their own.

    A ransomware attack had hijacked the government's computer network and held
    it hostage for several weeks. While the attack didn't affect the police,
    fire or financial departments, it wreaked havoc on phone lines, email,
    utility records and many other services.

    The hackers first demanded about $750,000 in bitcoin, a cryptocurrency, from
    the small, rural city to give it back control of its network.

    The city tried to recover the data on its own, City Manager Joseph
    Helfenberger recalled, but that failed. Its insurance company negotiated
    with the hackers and got the ransom down to about $470,000. It recommended
    paying, and officials figured that was the best option because the city
    would have to cover only the $10,000 deductible. ``This is not a rich
    community. They can't afford to spend money they don't have. You have to
    look at what is going to serve the community the best.''

    There were at least 113 successful ransomware attacks on state and local
    governments last year, according to global cybersecurity company Emsisoft,
    and in each case, officials had to figure out how to respond.
    <https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/>

    Some states have passed laws to target cybercriminals who deploy ransomware,
    but prosecutors have rarely used them. And local officials often are left
    vulnerable.

    In Baltimore last May, hackers crippled thousands of computers, then
    demanded a ransom of about $76,000 in bitcoin. Democratic Mayor Bernard C.
    `Jack' Young refused to pay. Workers were unable to access online accounts
    and payment systems for weeks.

    The attack ended up costing the city at least $18 million -- a combination
    of lost or delayed revenue and the expense of restoring systems. Young said
    in a statement last June that the FBI advised the city not to pay, and that
    it was ``just not the way we operate. ... We won't reward criminal
    behavior.'' The mayor's office did not respond to *Stateline* requests for
    comment. <>

    Baltimore and Lake City aren't alone. The majority of publicized ransomware
    attacks in the United States last year targeted local governments, according
    to a recent report by the National Governors Association and the National
    Association of State Chief Information Officers.
    <https://www.nga.org/center/publicat...-state-and-local-cybersecurity-collaboration/>

    Yet no one knows how many local and state governments have been hit by a
    ransomware attack. There is no national clearinghouse that collects all that
    information. Nor is every attack publicly reported. The FBI, which tracks
    national crime data, couldn't be reached for comment before publication.
    [...]

    https://www.pewtrusts.org/en/resear...tion-for-local-officials-to-pay-or-not-to-pay

    ------------------------------

    Date: Thu, 5 Mar 2020 12:26:12 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Through apps, not warrants, Locate X allows federal law enforcement
    to track phones (Protocol)

    *Federal agencies have big contracts with Virginia-based Babel Street.
    Depending on where you've traveled, your movements may be in the company's
    data.*

    U.S. law enforcement agencies signed millions of dollars worth of contracts
    with a Virginia company after it rolled out a powerful tool that uses data
    from popular mobile apps to track the movement of people's cell phones,
    according to federal contracting records and six people familiar with the
    software.

    The product, called Locate X and sold by Babel Street
    <https://www.babelstreet.com/>, allows investigators to draw a digital
    fence around an address or area, pinpoint mobile devices that were within
    that area, and see where else those devices have traveled, going back
    months, the sources told Protocol.

    They said the tool tracks the location of devices anonymously, using data
    that popular cell phone apps collect to enable features like mapping or
    targeted ads, or simply to sell it on to data brokers.

    Babel Street has kept Locate X a secret, not mentioning it in public-facing
    marketing materials and stipulating in federal contracts that even the
    existence of the data is *confidential information*. Locate X must be
    ``used for internal research purposes only,'' according to terms of use
    distributed to agencies, and law enforcement authorities are forbidden from
    using the technology as evidence -- or mentioning it at all -- in legal
    proceedings.
    <https://www.gsaadvantage.gov/ref_text/47QTCA18D0081/0V3LLR.3QTYM6_47QTCA18D0081_EISGSA2TERMS.PDF>

    Federal records show that U.S. Customs and Border Protection purchased
    Locate X, and the Secret Service and U.S. Immigration and Customs
    Enforcement also use the location-tracking technology, according to a
    former Babel Street employee. Numerous other government agencies have
    active contracts with Reston-based Babel Street, records show, but publicly
    available contract information does not specify whether other agencies
    besides CBP bought Locate X or other products and services offered by the
    company.

    None of the federal agencies, including CBP, would confirm whether they used
    the location-tracking software when contacted by Protocol. Babel Street's
    other products include an analytics tool it has widely marketed that sifts
    through streams of social media to `chart sentiment' about topics and
    brands.

    A former government official familiar with Locate X provided an example of
    how it could be used, referring to the aftermath of a car bombing or
    kidnapping. Investigators could draw what is known as a geo-fence around
    the site, identify mobile devices that were in the vicinity in the days
    before the attack, and see where else those devices had traveled in the
    days, weeks or months leading up to the attack, or where they traveled
    afterward.

    ``If you see a device that a month ago was in Saudi Arabia, then you know
    maybe Saudis were involved. It's a lead generator. You get a data point,
    and from there you use your other resources to figure out if it's valid.''

    A former Babel Street employee said the technology was deployed in a
    crackdown on credit card skimming
    <https://www.secretservice.gov/data/...Cold_Dish_of_Justice_to_Gas_Pump_Skimmers.pdf>,
    in which thieves install illegal card readers on gas station pumps,
    capturing customers' card data to use or sell online. The Secret Service was
    the lead agency in those investigations, which, according to published
    reports, led to arrests and the seizure of devices.

    A spokesperson for the Secret Service declined to comment on its work with
    Babel Street, saying the agency does not reveal methods used to carry out
    missions.

    While federal records show that CBP purchased Locate X and last year
    upgraded, paying for *premium* licenses, the records neither describe what
    Locate X does nor define the difference between a basic and premium
    license. A CBP spokesperson would not comment in detail about the use of
    the tool, but said the agency follows the law when deploying *open-source
    information*.

    Told of Protocol's reporting on Babel Street, Sen. Ron Wyden, a Democrat
    from Oregon who has pushed for tougher privacy legislation, questioned
    whether uses of the technology might violate the Fourth Amendment ban on
    unreasonable searches.

    The Supreme Court, in the landmark case Carpenter v. United States
    <https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf>, ruled in June
    2018 that the government must obtain a search warrant to access cell-tower
    location data for individual phone accounts. Wyden: The court ``recognized
    that the government needs a warrant to get someone's location data. Now the
    government is using its checkbook to try to get around Carpenter. Americans
    won't stand for that kind of loophole when it comes to our Fourth Amendment
    rights.''

    A spokesperson for Babel Street, Lacy Talton, declined to answer specific
    questions about the company's government sales or its Locate X technology,
    but said the firm handles data carefully to comply with both the law and
    Internet terms of service. There is no indication Babel Street is doing
    anything illegal. [...]

    https://www.protocol.com/government-buying-location-data

    ------------------------------

    Date: Mon, 9 Mar 2020 09:55:20 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: A hybrid AI model lets it reason about the world's physics
    like a child (MIT Tech Review)

    A new data set reveals just how bad AI is at reasoning -- and suggests that
    a new hybrid approach might be the best way forward.

    *Questions, questions:* Known as CLEVRER, the data set
    <http://clevrer.csail.mit.edu/#Dataset> consists of 20,000 short synthetic
    video clips and more than 300,000 question and answer pairings that reason
    about the events in the videos. Each video shows a simple world of toy
    objects that collide with one another following simulated physics. In one,
    a red rubber ball hits a blue rubber cylinder, which continues on to hit a
    metal cylinder.

    The questions fall into four categories: descriptive (e.g., What shape is
    the object that collides with the cyan cylinder?), explanatory (What is
    responsible for the gray cylinder's collision with the cube?), predictive
    (Which event will happen next?), and counterfactual (Without the gray
    object, which event will not happen?). The questions mirror many of the
    concepts that children learn early on as they explore their surroundings.
    But the latter three categories, which specifically require causal reasoning
    to answer, often stump deep-learning systems.

    *Fail:* The data set, created by researchers at Harvard, DeepMind, and
    MIT-IBM Watson AI Lab is meant to help evaluate how well AI systems can
    reason. When the researchers tested
    <https://arxiv.org/pdf/1910.01442.pdf> several
    state-of-the-art computer vision and natural language models with the data
    set, they found that all of them did well on the descriptive questions but
    poorly on the others.

    *Mixing the old and the new:* The team then tried a new AI system that
    combines both deep learning
    <https://www.technologyreview.com/g/deep-learning/> and symbolic logic.
    Symbolic systems used to be all the rage before they were eclipsed
    <http://u/> by machine learning in the late 1980s. But both approaches have
    their strengths: deep learning excels at scalability and pattern
    recognition; symbolic systems are better at abstraction and reasoning.

    The composite system, known as a neuro-symbolic model, leverages both: it
    uses a neural network to recognize the colors, shapes, and materials of the
    objects and a symbolic system to understand the physics of their movements
    and the causal relationships between them. It outperformed existing models
    across all categories of questions.
    <https://www.technologyreview.com/s/...-machines-learn-about-the-world-like-a-child/>

    *Why it matters:* As children, we learn to observe the world around us,
    infer why things happened and make predictions about what will happen next.
    These predictions help us make better decisions, navigate our environments,
    and stay safe. Replicating that kind of causal understanding in machines
    will similarly equip them to interact with the world in a more intelligent
    way.

    https://www.technologyreview.com/f/...c-system-reasons-like-child-deepmind-ibm-mit/

    ------------------------------

    Date: Tue, 3 Mar 2020 13:37:05 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: This Satellite Startup Raised $110 Million To Make Your
    Cellphone Work Everywhere (Forbes)

    EXCERPT:

    Anyone who's been on a long hiking trip or had a car break down on a road
    trip knows that the phone connectivity you take for granted in your daily
    life can quickly disappear. Despite advances in technology, how far a voice
    or data signal can travel is still limited to how far away you are from a
    cellphone tower.

    The Midland, Texas-based AST & Science aims to use satellites to overcome
    those limitations. It's just raised $110 million in a series B round led by
    U.K.-based mobile provider Vodafone and Japanese e-tailer Rakuten to launch
    a mobile broadband network, called SpaceMobile, powered by satellites.
    These can connect to phones anywhere on the planet, when you're flying on an
    airplane, in a remote location, at sea -- 94anywhere, says the company's
    founder and CEO Abel Avellan.

    The company successfully tested its technology last year when it launched a
    prototype satellite called BlueWalker 1 in April. The satellite was able to
    successfully deliver signals to phones and demonstrate the company's
    abilities. With the new round of capital, which brings its total fundraising
    to $128 million, it will be able to ramp up production of the hundreds of
    satellites it plans to put in orbit, using a modular manufacturing approach
    to keep costs down.

    AST is one of several companies that's aiming to put satellites in low Earth
    orbit to provide data. SpaceX, OneWeb, Amazon and others are building large
    mega-constellations to provide broadband Internet directly to
    customers. Their target market is premium customers, taking advantage of the
    lower lag times provided by satellites to entice users away from broadband
    Internet providers such as Comcast or AT&T.

    By contrast, AST is targeting a different market. Rather than try to provide
    broadband Internet services, which requires building out bigger, higher-cost
    satellites and expensive ground infrastructure, it's instead partnering with
    mobile phone providers. For these providers, AST gives their customers the
    ability to use their existing devices in places that are hard to connect
    otherwise, such as in the mountains or on a cruise ship. It's a similar
    model to existing satellite phone providers like Iridium, except it
    doesn't require any proprietary hardware -- customers can use the phones
    they already own. [...]

    https://www.forbes.com/sites/alexkn...lion-to-make-your-cell-phone-work-everywhere/

    ------------------------------

    Date: Sat, 7 Mar 2020 09:37:13 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Your smartphone is dirtier than a toilet seat. Here's how to
    disinfect it. (Mashable)

    Yep, you read that right: There are 10 times more germs on our smartphones
    than on a toilet seat. So unless you're regularly cleaning your lil'
    portable germ box, you're not really doing *that *good a job of protecting
    yourself from getting sick. In fact, we should *all *be making a habit out
    of cleaning that damn thing, with or without the new coronavirus outbreak as
    motivation. <https://time.com/4908654/cell-phone-bacteria/>
    <https://mashable.com/article/uv-light-phone-sanitization-coronavirus-protection/>

    Apple offers a very detailed cleaning guideline
    <https://support.apple.com/en-us/HT207123> for iPhones, as does Google
    <https://support.google.com/pixelphone/answer/7533987?hlen> for Pixels.
    Samsung, though, doesn't offer much for its Galaxy phones. But, it's safe to
    assume that they all can be cleaned in the same way because their surfaces
    share similar features: glass screens and/or casings with oil-repellent
    (oleophobic) coating, and some degree of water resistance.

    That means two things: It's okay to clean your phone with a damp cloth and
    you should stick with mild cleaning solutions to avoid damaging the glass
    coating. So, unless you have a fancy UV light
    <https://mashable.com/article/uv-light-phone-sanitization-coronavirus-protection/>
    to sanitize your phone, here's how you can get it done the old-fashioned
    way. What you need...

    [...]
    https://mashable.com/article/how-to-clean-smartphone-iphone-galaxy-pixel/

    ------------------------------

    Date: Mon, 9 Mar 2020 09:53:23 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: PCI Fireside Chat: Vint Cerf and Ian Bremmer (The Unstable Globe)

    *American political scientist, Ian Bremmer
    <https://www.eurasiagroup.net/people/ibremmer>, joined Internet pioneer and
    PCI co-founder, Vint Cerf <https://peoplecentered.net/people/vint-cerf/> for
    an inaugural virtual fireside chat=9D to discussed today's evolving
    geopolitical and technological landscape.*

    The two explored how our increasingly interconnected world is changing
    dynamics among countries, challenging international institutions, and (at
    least temporarily) benefitting authoritarian regimes. The globe faces
    challenges -- including shifts in the influence of superpowers, polarization
    resulting from social media, and pandemics -- that require a new
    technological, political, social and institutional coherence that has yet to
    manifest.

    Some highlights, insights and soundbites from the conversation:


    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.61
    ************************
     
  14. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,826
    616
    368
    Apr 3, 2007
    Tampa
    Risks Digest 31.62

    RISKS List Owner

    Mar 21, 2020 5:42 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 21 March 2020 Volume 31 : Issue 62

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [Cleaning up part of the backlog; more to come]
    Many to blame in fatal crash of a Tesla (Tom Krisher via PGN)
    His Tesla was in a hit and run. It recorded the whole thing. (WashPost)
    NASA shows it's lost confidence in Boeing's ability to police its own work
    on Starliner space capsule (WashPost)
    Boeing Culture Concealment 747 Max report (The Guardian)
    Bad Air: Pilots worldwide complain of unsafe cabin fumes (Politico)
    Former acting Homeland Security inspector general indicted in data theft of
    250,000 workers (WashPost)
    Let's Encrypt discovers CAA bug, must revoke customer certificates (WiReD)
    The EARN IT Act Is a Sneak Attack on Encryption (WiReD)
    Wash Your Hands -- but Beware the Electric Hand Dryer (WiReD)
    Live Coronavirus Map Used to Spread Malware (Krebs)
    The Economic Ramifications of COVID-19 (Medium)
    DA suspends most inspections of foreign drug, device and food manufacturers
    (WashPost)
    Downloading Zoom for work raises employee privacy concerns (Gabe Goldberg)
    Scam call centre owner in custody after BBC investigation (BBC News)
    Are AI baby monitors designed to save lives or just prey on parents'
    anxieties? (WashPost)
    In search of better browser privacy options (Web Informant)
    Assigning liability when medical AI is used (StatNews)
    Most Medical Imaging Devices Run Outdated Operating Systems (WiReD)
    Come on, Microsoft! Is it really that hard to update Windows 10 right?
    (Computerworld)
    A Botnet Is Taken Down in an Operation by Microsoft, Not the Government
    (NYTimes)
    Fuzzy matching vs. marlberries (Dan Jacobson)
    Giant Report Lays Anvil on US Cyber Policy (WiReD)
    Google tracked his bike ride past burglarized home, which made him a suspect
    (NBC News)
    Crimea, Kashmir, Korea -- Google redraws disputed borders, depending on
    who's looking (WashPost)
    What happens when Google loses your address? You cease to exist. (WashPost)
    Legislators Want to Block TikTok From Goverment Phones (LifeWire)
    H.R. 5680, Cybersecurity Vulnerability Identification and Notification Act
    of 2020 (Congressional Budget Office)
    Whisper left sensitive user data exposed online (WashPost)
    As the U.S. spied on the world, the CIA and NSA bickered (WashPost)
    Re: Mysterious GPS outages are wracking the shipping industry (Dmitri Maziuk)
    Re: ElectionGuard (John Levine)
    Re: What to do about artificially intelligent government (Amos Shapir)
    Re: 911 operators couldn't trace the location of a dying student's phone
    (John Levine)
    Re: Risks of Leap Years and Dumb Digital Watches (Amos Shapir, Terje Mathisen)
    Re: Risks of Leap Years ...., and depending on WWVB (Bob Wilson)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 21 Mar 2020 12:33:06 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Many to blame in fatal crash of a Tesla (Tom Krisher via PGN)

    Tom Krisher, SFChronicle.com (which as usual ignores the existence of the
    Science Fiction Chronicle), front page of the Chron's Business Report, 21
    Mar 2020, PGN-ed

    As we have noted in many cases (including Deepwater Horizon RISKS-29.49,
    the Boeing 737 Max, and many others), attempts to place blame are often
    frustrated by reality: blame may be widely distributed.

    The cited article by Tom Krisher notes the National Transportation Safety
    Board (NTSB) report released on 19 Mar 2020 on the Tesla crash on 1 March
    2019 in Delray Beach, Florida. The Tesla was under Autopilot driving at 69
    mph when the Autopilot neither braked or otherwise attempted to avoid a
    tractor-trailer that crossed in its path.

    The report noted that all of the following factors were relevant:

    * The driver of the Tesla for not paying attention. He had turned the
    Autopilot on just 12.3 seconds before impact. Autosteer (which keeps the
    car centered in its lane) turned on 2.4 seconds later.

    * The driver (who was not injured) of the tractor-trailer, which sheared off
    the roof of the Tesla

    * Tesla, because it allowed the driver to avoid paying attention to the
    Autopilot, and to limit where it was safe to use the Autopilot, activating
    it in conditions for which it was not designed. (However, Tesla told the
    NTSB investigators that ``forward collision warning and automatic
    emergency braking systems on Model 3 in the Delray cash weren't designed
    to activate for crossing traffic or to prevent crashes at high speeds.''
    Tesla also had noted that the driver wasn't warned about not having his
    hands on the wheel ``because the approximate 6-second duration was too
    short to trigger a warning under the circumstances.'' However, Tesla also
    claims that ``the Autopilot is a driver-assist system, and that drivers
    must be ready to intervene at all times.''

    * The National Highway Traffic Safety Administration (NHTSA) for its lax
    regulations, and failing to put limits on the use of automated driving
    systems to just those cases in which they were designed to work

    A statement for the NTSB chairman Robert Sumwalt noted this was the ``third
    fatal vehicle crash we have investigated where a driver's overreliance on
    Tesla's Autopilot and the operational design of the Tesla's Autopilot have
    led to tragic consequences.''

    Krisher notes that the Delray Beach crash was remarkably similar to one in
    Williston FL in 2016, which also killed the driver of a Tesla.

    ------------------------------

    Date: Sun, 8 Mar 2020 14:48:52 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: His Tesla was in a hit and run. It recorded the whole thing.
    (WashPost)

    The car is becoming a sentry, a chaperone, and a snitch.

    My parked car got gashed in a hit-and-run two weeks ago. I found a star
    witness: the car itself.

    Like mine, your car might have cameras. At least one rearview camera has
    been required on new American cars since 2018. I drive a Tesla Model 3 that
    has eight lenses pointing in every direction, which it uses for backing up,
    parking and cruise control. A year ago, Tesla updated its software to also
    turn its cameras into a 360-degree video recorder. Even when the car is off.
    <Backup cameras now required in new cars in the U.S.>
    <https://www.washingtonpost.com/tech...id=lk_inline_manual_4&itid=lk_inline_manual_4>

    All those digital eyes captured my culprit БтАФ a swerving city bus
    -- in remarkable detail. [...]

    Without Sentry Mode, I wouldn't have known what hit me. The city's response
    to my hit-and-run report was that it didn't even need my video
    file. Officials had evidence of their own: That bus had cameras running,
    too.

    https://www.washingtonpost.com/technology/2020/02/27/tesla-sentry-mode/

    ------------------------------

    Date: Sat, 7 Mar 2020 13:55:13 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: NASA shows it's lost confidence in Boeing's ability to police its
    own work on Starliner space capsule (WashPost)

    https://www.washingtonpost.com/tech...-police-its-own-work-starliner-space-capsule/

    When trust erosion and brand outrage clobbers a for-profit brand, either the
    marketplace settles the situation through corporate bankruptcy, or a remedy
    -- a second chance, a mulligan -- is applied to repair and restore business
    operations viability (aka profitability). NASA must reconcile a supplier
    dilemma with corporate ramifications that will significantly impact US space
    flight and strategic aerospace capabilities.

    Boeing's software factory concealed issues that compromised the Starliner
    mission. NASA apparently did not detect pre-release system/software
    under-achievements or qualification shortcuts introduced to achieve
    scheduled milestones. Rigorous release qualification practices and subject
    matter expertise for the systems under test are mandatory prerequisites that
    both supplier and customer must possess. Unless expertise is mutually
    shared, one party may be unfairly exploited for profit or convenience.

    Not certain what the Boeing/NASA RACI required (roles/responsibilities in
    terms of product engineering, test/measurement and review/sign-off), but
    someone should have pulled the 'showstopper' cord well before liftoff. That
    much is obvious from the Starliner mission record.

    A key enabler to promote product life cycle defect escape suppression is
    esprit de corps. Within Boeing, this intangible appears to have been
    weakened. An organization needs participants that embody the "worst customer
    in the world, best friend a product can find" inside the walls of their
    factory to represent uncompromised customer interests.

    Test engineers, especially, must embody this demeanor, and ethically abide
    to "do no harm" principles by reporting and escalating mission/life critical
    product deficiencies. These 'rara avises' enjoy breaking product. Finding
    and reporting what's broken, before release, fulfills a software editorial
    life cycle, a critical practice to achieve operational flight plan
    viability. A defect tracking platform that is policed jointly with the
    customer enables discussion and agreement on prioritized repairs. 'Release
    defect patrol' promotes informed consent.

    The product life cycle, especially in aerospace, requires all participants
    (supplier/regulator/customer) to ethically and professionally practice
    without fear of reprisal. 'Tin ear' management that fails to weigh project
    triple constraints (cost, schedule, scope) with product safety and
    mission/objectives must be held accountable for negligent practice.

    Transparency and review are necessary to remediate and repair Boeing's
    broken software factory. Aligning organizational objectives with mission
    deliverables, enforcing management accountability via disclosure and
    measurable achievement might yield fixed cost priorities. If the priorities
    are achieved in a timely fashion, a diminished aerospace brand might be
    salvaged.

    ------------------------------

    Date: Sat, 7 Mar 2020 12:47:02 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Boeing Culture Concealment 747 Max report (The Guardian)

    https://www.theguardian.com/busines...ture-concealment-fatal-737-max-crashes-report

    https://transportation.house.gov/im...gative Findings Boeing 737 MAX March 2020.pdf

    ------------------------------

    Date: Sun, 8 Mar 2020 08:07:23 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Bad Air: Pilots worldwide complain of unsafe cabin fumes (Politico)

    https://www.politico.com/news/2020/03/07/airplanes-unsafe-cabin-fumes-123362

    "Two years ago, the FAA warned in a safety alert that airlines and pilots
    should ensure their procedures and check-lists address what to do about
    odors and fumes on board and asked operators, manufacturers and regulators
    to boost efforts at prevention. But the FAA hasn't ordered manufacturers to
    actually change the way air on most planes gets funneled into the cabin,
    which pilots say can be fouled by engine oil intermixing with breathable
    air, due to the planes' design, combined with poor maintenance and faulty
    seals."

    Risk: Pilot blackout, breathing distress.

    ------------------------------

    Date: Sat, 7 Mar 2020 16:21:09 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Former acting Homeland Security inspector general indicted in
    data theft of 250,000 workers (WashPost)

    Charles K. Edwards and a former subordinate face a 16-count indictment in a
    scheme that prosecutors allege involved stolen government software and
    databases for resale.

    https://www.washingtonpost.com/loca...8eb39a-5fd3-11ea-9055-5fa12981bbbf_story.html

    ------------------------------

    Date: Sun, 8 Mar 2020 10:44:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Let's Encrypt discovers CAA bug, must revoke customer certificates
    (WiReD)

    A tiny backend bug at Let's Encrypt almost broke millions of websites.
    A five-day scramble ensured it didn't.

    https://www.wired.com/story/lets-encrypt-internet-calamity-that-wasnt/

    ------------------------------

    Date: Sat, 7 Mar 2020 19:36:09 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The EARN IT Act Is a Sneak Attack on Encryption (WiReD)

    The crypto wars are back in full swing.

    https://www.wired.com/story/earn-it-act-sneak-attack-on-encryption/

    ------------------------------

    Date: Sat, 7 Mar 2020 19:36:42 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Wash Your Hands -- but Beware the Electric Hand Dryer (WiReD)

    "Electric towels" were supposed to prevent the spread of contagious disease.
    What if they've been doing the opposite?

    https://www.wired.com/story/wash-your-hands-but-beware-the-electric-hand-dryer/

    ------------------------------

    Date: Sun, 15 Mar 2020 16:24:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Live Coronavirus Map Used to Spread Malware

    https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/

    ------------------------------

    Date: Fri, 13 Mar 2020 09:24:55 -0400
    From: John Ohno <john...@gmail.com>
    Subject: The Economic Ramifications of COVID-19 (Medium)



    Why America Will Suffer Greatly Under Covid-19:
    the Broken Economics of Coronavirus
    A perfect storm of flawed institutions
    Black Cat
    12 Mar 2020 6 min read
    John Ohno is a co-author of this article.

    A friend recently asked me: ``what could be done better in America to stop
    coronavirus?'' It was the kind of question that makes you pause for a good
    long while before answering -- because it suggests that the person asking
    you has misunderstood you already. There is no single action that anyone
    could or would take to slow this down, because these are systematic
    problems.

    This is going to be really bad. You should expect hospitals to get
    overwhelmed, which will turn nonlethal cases into lethal ones. You should
    expect international and national supply lines to be interrupted in some
    cases.

    You should stockpile about a month's worth of non-perishable foods and
    medicine to treat the symptoms. Lentils, rice, vitamin supplements, Tylenol,
    and Pedialyte -- these are the cheapest ways to do this. You should not be
    planning to avoid the disease -- you should be planning as though you are
    going to get the disease. It may be a hungry and generally awful summer, but
    if you do not have complicating conditions, you will survive.

    Here is why we will suffer terribly under this disease, even compared to
    other countries:
    * not enough paid sick days
    * no nationalized healthcare
    * insufficiently-coordinated response
    * perfect-storm of supply chains and debt

    These are all political choices, not features of the virus. This virus will
    be worse here because it has been set up to be worse.

    *Not enough paid sick days*

    America does not have enough paid sick days, especially not for food service
    workers, and these people do not own their own homes or have other sources
    of basic subsistence -- and so they will work when they are sick, because
    they have to. They cannot afford to be publicly-minded. They do not have
    the luxury of being nice.

    And because they will work when they are sick, they will infect you. They
    will infect the food that you eat -- stop eating out! Anywhere! -- they will
    infect your packages, and so on. Even if you are oh-so-cautious, other
    people will not be. And they will be infected. More than that, people will
    work through their infections. And so more of these cases will become
    acute. Which will mean more long-term organ damage and more deaths.

    *No nationalized healthcare*
    Sick people will not get treatment, and so they will infect more people than
    they otherwise would have, and be more likely to die. Those that survive
    will in many cases be saddled with medical debt, weighing down any future
    economic recovery.

    I really do not know what more to say about this. Even if you are wealthy
    and/or hate poor people, a bunch of people who are sick and can't afford
    treatment can get you sick -- there are very clear reasons of self-interest
    for having a health-care system that takes care of everyone.

    *Insufficiently coordinated response*
    The American health system isn't.

    This is worse than just the CDC avoiding testing people, to keep the
    official numbers low -- though that is a great example of how bureaucratic
    incentives can kill. Most of the know outbreaks in the US seem to simply be
    places where local health authorities circumvented the CDC and did their own
    tests -- it seems likely that there are many more outbreaks and many more
    cases in the US than it would appear on paper.

    There are multiple federal-level bureaus and NGOs responsible for the
    country-wide picture, and they are not set-up to coordinate properly. There
    are 50 state-level bureaus, each of which will do different things, and none
    of them are allowed to close state borders without congressional
    approval. There are about 3000 county-level health boards, and they all have
    different standards and different funding mechanisms. In addition, there are
    city-level efforts, and efforts being taken by private institutions. None of
    these are in any way coordinated.

    *Perfect Storm of Supply Chains and Debt* Automation hasn't made production
    or distribution or service more resilient, because it's been put toward
    further centralization -- rather than requiring a large proportion of
    blue-collar workers to stop work in order to stop production, a smaller
    proportion of a smaller number of white-collar workers control the machinery
    by which work is distributed to the blue-collar workers. That machinery is
    fragile enough that without monitoring it, it will become dysfunctional. It
    is possible that the flow of consumer goods into stores might be disrupted
    temporarily, making it hard to obtain some goods needed for daily life.

    The idea of a deadly disease that can spread not only through face-to-face
    contact but through the semi-automated alternatives we have redirected most
    of our commerce towards (mail order with packages sorted by people who
    certainly won't be taking sick days, & takeout delivered by the same) is
    uniquely suited to screwing up an economy in which both visible and hidden
    labor is largely performed by a growing precariat [?] whose contract with
    capital is based on the presumption of a happy path in which no catastrophes
    are permitted.

    Since the great recession, many firms have reoriented to operate at much
    higher ratios of debt to income. This, plus the just-in-time supply chains
    that have become common in the last few decades, makes these firms extremely
    fragile -- they have no buffer. Thus, a big disruption to a bunch of firms
    at once can make many of them be unable to service their debts or even go
    out of business, which disrupts supply chains further, which can cause more
    of these companies to become insolvent. This is all much more of a problem
    for smaller firms than it is for larger, richer, firms with more resources
    and more confidence from lenders: the eventual recovery will be one in which
    the big firms have had their smaller competitors eliminated.

    Essentially all the infrastructure has been built on the assumption that
    none of the other infrastructures would break down. Which has ironies,
    because it shows that the economy bares more isomorphs to the Stalinist one
    than anyone is really comfortable admitting -- everything is fine until
    circumstances change, and then people start dying, because neither allows
    much room for bottom-up flows of information or distributed responses.
    There's this assumption that the mass of blue-collar service workers will
    always be sufficiently available (at less-than-minimum-wage prices) to do
    whatever needs to be done, and a pandemic that hits the only people doing
    the traveling and touching the packages is going to really screw that up.
    So very much of our densely populated and highly interconnected world is
    based around the supposed invincibility of modern medicine: the vaccine,
    antibiotics, and so on. When that fails, so much else does, too. In a
    sense, there is a preview of a general strike, with this coronavirus.
    Evictions, rents, and mortgage payments have all been frozen in certain
    places. During the peak of this, people will either avoid going to work out
    of fear, or be sick enough to stay home. There are certain obvious
    similarities, and someone more schooled in the theory of this tactic might
    be able to point out how to exploit the coronavirus collapse.

    ------------------------------

    Date: Wed, 11 Mar 2020 09:38:51 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: DA suspends most inspections of foreign drug, device and food
    manufacturers (The Washington Post)

    https://www.washingtonpost.com/heal...tions-foreign-drug-device-food-manufacturers/

    "FDA Commissioner Stephen Hahn said in a statement that the decision was
    based on State Department travel advisories, Centers for Disease Control
    and Prevention travel recommendations and restrictions imposed on foreign
    visitors by certain countries. He added the agency will 'maintain
    oversight over international manufacturers and imported products using
    alternative tools and methods.'"

    This FDA webpage https://datadashboard.fda.gov/ora/cd/inspections.htm shows
    the total number of inspections (foreign + domestic) 'taking a nosedive'
    starting in 2019.

    For business under deregulation, caveat emptor flourishes. For consumers,
    learn to ask tough questions about your physicians' suppliers BEFORE
    electing to purchase.

    ------------------------------

    Date: Sat, 14 Mar 2020 00:30:14 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Downloading Zoom for work raises employee privacy concerns

    Zoom is a work-from-home privacy disaster waiting to happen

    Just because you're working from home doesn't mean your boss isn't still
    keeping tabs on your every mouse click. In recent days, thanks in part to
    the social-distancing measures made necessary by the coronavirus outbreak,
    converts to the work-from-home life are being forced to contend with the
    widely used videoconferencing service Zoom. There's just one problem: It's
    not exactly privacy-friendly.

    Long the bane of remote workers, Zoom is equipped with numerous settings
    that even many of its longtime users may not know about. Take, for example,
    the "attendee attention tracking" feature. According to Zoom, if enabled,
    this feature allows hosts of conference calls -- i.e., your boss -- to
    monitor participants' computers.

    https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/

    I run Zoom on iPad while multi-tasking on computer, phone, whatever. I have
    camera disabled from app AND have mechanical cover over it, and I mute
    myself to not broadcast keyboard noise. I love Zoom -- much prefer it to
    other conferencing tools I've used -- and, of course, my conferences are
    related to volunteering so there's no "boss" involved.

    ------------------------------

    Date: Sat, 7 Mar 2020 14:16:31 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Scam call centre owner in custody after BBC investigation (BBC News)

    A scam call centre that targeted thousands of British victims has been
    raided by the Indian police, following a BBC investigation.



    Another one bites the dust. Leaving only ... how many? ... remaining.

    ------------------------------

    Date: Sun, 8 Mar 2020 14:51:32 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Are AI baby monitors designed to save lives or just prey on
    parents' anxieties? (WashPost)

    Advanced camera systems are raising fears of data collection, false alarms
    and newborn privacy: ``We have the technology to do this kind of constant
    surveillance and hyper-monitoring, [but] it's driving parents insane.''

    Baby-monitor companies are pushing artificial-intelligence technology into
    the family nursery, promising that surveillance software designed to record
    infants' faces, sounds and movements can save them from injury or death.

    But medical, parenting and privacy experts say the safety claims made for
    such Internet-connected systems aren't supported by science and merely prey
    on the fears of young parents to sell dubious technology. No federal agency
    has provided evidence to back them up.

    https://www.washingtonpost.com/technology/2020/02/25/ai-baby-monitors/

    ------------------------------

    Date: Mon, 9 Mar 2020 16:53:38 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: In search of better browser privacy options (Web Informant)

    A new browser privacy study by Professor Doug Leith, the Computer Science
    department chair at Trinity College is worth reading carefully. Leith
    instruments the Mac versions of six popular browsers (Chrome, Firefox,
    Safari, Edge, Yandex and Brave) to see what happens when they *phone home*.
    All six make non-obvious connections to various backend servers, with Brave
    connecting the least and Edge and Yandex (a Russian language browser) the
    most. How they connect and what information they transmit is worth
    understanding, particularly if you are paranoid about your privacy and want
    to know the details.

    https://blog.strom.com/wp/?p=7616

    ------------------------------

    Date: Mon, 9 Mar 2020 20:32:58 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Assigning liability when medical AI is used (StatNews)

    Doctors could be liable if they use an AI to make
    treatment decisions -- or if they don't use it.

    https://www.statnews.com/2020/03/09/can-you-sue-artificial-intelligence-algorithm-for-malpractice/

    "Regardless, AI vendors, many of which are start-ups, could be accruing
    liability of an unknown scale."

    "Big payouts or high-profile lawsuits could obliterate the emerging health
    AI sector, which is still a cottage industry."

    ------------------------------

    Date: Tue, 10 Mar 2020 18:22:34 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Most Medical Imaging Devices Run Outdated Operating Systems (WiReD)

    The end of Windows 7 support has hit health care extra hard, leaving several
    machines vulnerable.

    https://www.wired.com/story/most-medical-imaging-devices-run-outdated-operating-systems/

    Hardly news, but useful reminder. Next time I'm faced with some big med
    machine I'll ask to see its update log.

    ------------------------------

    Date: Thu, 12 Mar 2020 09:50:33 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Come on, Microsoft! Is it really that hard to update Windows 10
    right? (Computerworld)

    February Windows 10 patches were a mess. Is Microsoft ever going to get its
    Win10 patches act together?

    https://www.computerworld.com/artic...lly-that-hard-to-update-windows-10-right.html

    ------------------------------

    Date: Wed, 11 Mar 2020 01:20:54 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A Botnet Is Taken Down in an Operation by Microsoft, Not the
    Government (NYTimes)

    A Botnet Is Taken Down in an Operation by Microsoft, Not the Government
    https://www.nytimes.com/2020/03/10/us/politics/microsoft-botnets-malware.html

    ------------------------------

    Date: Thu, 12 Mar 2020 10:14:13 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Fuzzy matching vs. marlberries

    It was another ho-hum day when I did
    https://www.google.com/search?q=Ardisia+japonica+edible?

    > People also ask
    > Can you eat Marlberry?

    > Is it OK to eat mulberries off the tree?

    Clicking on the first said they were only for the birds. While
    clicking on the last said "Luckily, they're totally edible,"

    Ah, no wonder, one is talking about marlberries, the other mulberries!
    So fuzzy matching has its dangers!

    [Dan, I'm afraid you *ardisia* now than you were before, so maybe you are
    also *fuzzy*, which ardisia is not. PGN]

    Ardisia = tropical evergreen subshrubs (some climbers) to trees of
    Asia and Australasia to Americas [syn: {Ardisia}, {genus Ardisia}]

    ------------------------------

    Date: Thu, 12 Mar 2020 09:45:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Giant Report Lays Anvil on US Cyber Policy (WiReD)

    Released today, the bipartisan Cyberspace Solarium Commission makes more
    than 75 recommendations that range from common-sense to befuddling.

    https://www.wired.com/story/opinion-giant-report-lays-anvil-on-us-cyber-policy

    ------------------------------

    Date: Mon, 9 Mar 2020 16:47:50 +0000
    From: "Fleming, Cody (cf5eg)" <cf...@virginia.edu>
    Subject: Google tracked his bike ride past burglarized home, which made
    him a suspect. (NBC News)

    https://www.nbcnews.com/news/us-new...-ride-past-burglarized-home-made-him-n1151761

    Summary: poor guy used an app to track his bicycle rides, then got charged
    with a burglary because his commute (and therefore his digital ID) took him
    past this lady's house at what was apparently the wrong time.

    Risks: getting an ominous -- but opaque and ambiguous -- notification from
    one of the world's largest, most powerful companies for...doing what
    exactly?

    ------------------------------

    Date: Sun, 8 Mar 2020 14:53:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Crimea, Kashmir, Korea -- Google redraws disputed borders,
    depending on who's looking (WashPost)

    The Silicon Valley firm alters maps under political pressure and the
    inscrutable whims of tech executives

    https://www.washingtonpost.com/technology/2020/02/14/google-maps-political-borders/

    The risk? War...

    ------------------------------

    Date: Tue, 10 Mar 2020 15:31:41 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: What happens when Google loses your address? You cease to exist.
    (WashPost)

    https://www.washingtonpost.com/opin...885f28-622c-11ea-b3fc-7841686c5c57_story.html

    ``This is how we discovered that Google Maps had two locations listed for
    our home. One was right, one was wrong. This seemed like a pretty minor
    problem in the scheme of things, and it was. For a while, I even thought it
    was kind of wonderful. We could be anonymous! Even Google didn't know where
    we lived! [...] But over time, as Google Maps got embedded in more and
    more apps, the problem worsened. Google Maps is used by Uber, Instacart,
    Lyft, Door Dash and even something called the Zombie Outbreak Simulator.''

    Risk: Sole-source location and route data supplier.

    The Rand McNally Road Atlas
    (https://store.randmcnally.com/2020-rand-mcnally-road-atlases.html)
    can't be beat for backup. Now available with protective vinyl cover!

    [Also noted by Gabe Goldberg. PGN]
    Every day, users contribute more than 20 million pieces of information
    to Google Maps. There are bound to be errors.

    ------------------------------

    Date: Fri, 13 Mar 2020 10:47:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Legislators Want to Block TikTok From Government Phones (LifeWire)

    Yes, there's an actual *No TikTok on Government Devices Ac*

    *БаWhy It Matters:

    TikTok is one of the fastest growing social content sharing apps in the
    country, but it's also owned by a Chinese company. The U.S.'s security
    concerns are slamming up against legislators and government workers' dreams
    of becoming "TikTok Famous."

    https://www.lifewire.com/theres-an-actual-no-tiktok-government-devices-act-4799632

    ------------------------------

    Date: Sat, 14 Mar 2020 10:40:36 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: H.R. 5680, Cybersecurity Vulnerability Identification and
    Notification Act of 2020 (Congressional Budget Office)

    https://www.cbo.gov/publication/56198

    The pending legislation would impose fines on businesses that do not satisfy
    CISA (Cyber Infrastructure Security Agency) hygiene criteria.

    "ISPs that do not comply with subpoenas could be subject to civil and
    criminal penalties; therefore, the government might collect additional fines
    under the legislation."

    Let's see...~122M Internet domains registered in the U.S. currently
    (https://www.registrarowl.com/report_domains_by_country.php). Suppose a US
    $1000 penalty per violation? Might wipe out the U.S. budget deficit
    eventually.

    ------------------------------

    Date: Tue, 10 Mar 2020 18:20:04 +0100
    From: Peter Houppermans <not.f...@houppermans.net>
    Subject: Whisper left sensitive user data exposed online (WashPost)

    https://www.washingtonpost.com/tech...er-left-users-locations-fetishes-exposed-web/

    "Whisper, the secret-sharing app that called itself the *safest place on the
    Internet*, left years of users' most intimate confessions exposed on the Web
    tied to their age, location and other details, raising alarm among
    cybersecurity researchers that users could have been unmasked or
    blackmailed. The data exposure, discovered by independent researchers and
    shown to *The Washington Post*, allowed anyone to access all of the location
    data and other information tied to anonymous *whispers* posted to the
    popular social app, which has claimed hundreds of millions of users. The
    records were viewable on a non-password-protected database open to the
    public Web. A Post reporter was able to freely browse and search through the
    records, many of which involved children: A search of users who had listed
    their age as 15 returned 1.3 million results."

    It apparently took until *The Washington Post* contacted them for this to go
    offline, but that could just be a matter of parallel events as specialists
    had already given them a heads up. However, being contacted by the PRESS
    that you're busy leaking secrets strikes me as a near worst case scenario
    for such a company.

    ------------------------------

    Date: Fri, 06 Mar 2020 22:08:38 -0500
    From: David Lesher <wb8...@8es.com>
    Subject: As the U.S. spied on the world, the CIA and NSA bickered (WashPost)

    [Re: The Intelligence Coup of the Century (RISKS-31.58)]

    Greg Miller, *The Washington Post*, 6 Mar 2020

    As the U.S. spied on the world, the CIA and NSA bickered
    <https://www.washingtonpost.com/nati...0a4e72-5365-11ea-b119-4faabac6674f_story.html>

    U.S. spy agencies were on the verge of an espionage breakthrough, closing in
    on the clandestine purchase of a Swiss company that could give American
    intelligence the ability to crack much of the world's encrypted
    communications.

    But the deal fell apart, done in by one of many behind-the-scenes battles
    between the CIA and the National Security Agency detailed in classified
    documents tracing one of the most remarkable intelligence operations in
    American history. [...]

    ------------------------------

    Date: Fri, 6 Mar 2020 16:39:01 -0600
    From: Dmitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Mysterious GPS outages are wracking the shipping industry
    (RISKS-31.60)

    > I'm not saying that losing your GPS-based navigation is trivial, but any
    > ocean-going vessel and its crew should already be equipped to at least have
    > a reasonable chance of avoiding a navigation-related catastrophe.

    Gotta wonder what's "reasonable" for a supertanker size of three WWII
    aircraft carriers, with a crew of six.

    ------------------------------

    Date: 6 Mar 2020 21:24:56 -0500
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: ElectionGuard (Lite via Rob Slade)

    The paper record goes into a ballot box, so they can count the paper ballots
    to check the software count. You can't let people take home a record of how
    they voted, since that enables vote buying.*

    Other than the buzzword factor, I'm trying to figure out what advantage this
    very complex scheme has over an off the shelf system where voters hand mark
    paper ballots and drop them in a ballot box. You can get computerized
    ballot boxes that count the ballots as they're dropped in the box if for
    some reason you believe it would be a problem to wait for the result while
    people hand-count them. That's what we use here in N.Y.

    * - We leave as an exercise for the reader whether it's really a good
    idea to do all absentee voting as Oregon does.

    [It seems like a lesser of weevils, as everything else may be worse. PGN]

    ------------------------------

    Date: Tue, 10 Mar 2020 09:20:42 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: What to do about artificially intelligent government (RISKS-31.60)

    The main risk is that instead of using AI just to flag special cases, to be
    decided by a human being later, decision makers would incorporate such AI
    systems into the process and (as usually happens) rely on them blindly.
    It's the old "Our computer says this must be so!" -- except that now, it's
    an *intelligent* computer...

    ------------------------------

    Date: 6 Mar 2020 21:32:17 -0500
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: 911 operators couldn't trace the location of a dying student's
    phone. (Stein, RISKS-31.60)

    Subsequent reports said that the student had a Chinese phone roaming from
    his Chinese carrier, and the phone probably didn't have the location
    hardware that US phones do.

    https://www.timesunion.com/news/art...d-by-flu-called-911-but-rescuers-15068290.php

    [Roger that, John. Wonder if there should be a standardized 'soft'
    GSM/CDMA emulation of h/w location discovery? If there was, it'd probably
    be full of holes. Nothing like a keyed and registered GPS locater to
    enable surveillance, I guess. RS]

    ------------------------------

    Date: Tue, 10 Mar 2020 09:29:40 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Risks of Leap Years and Dumb Digital Watches (RISKS-31.60)

    It's most likely that the `smarter' watch types that track the year, insert
    29 Feb on years divisible by 4 (which in the simplest form, requires just
    looking at the lower 2 bits of the year number). These are going to fail on
    1 Mar 2100 (and 2200, 2300)! [Just another reminder. This shows up in
    RISKS more often then every now and then. PGN]

    ------------------------------

    Date: Mon, 9 Mar 2020 11:59:45 +0100
    From: Terje Mathisen <terje....@tmsw.no>
    Subject: Re: Risks of Leap Years and Dumb Digital Watches (RISKS-31.60)

    > [3] have the kind that needs to be set back a day because (unlike the
    > smarter types that track the year or receive information from external
    > sources) it went directly from February 28 to March 1;

    nope:

    I've been part of the NTP Hackers team for ~25 years and for the last 10+ of
    those I have exclusively used Garmin Forerunner watches which have enough
    intelligence to do this right, as well as using the GPS network to keep the
    local time near-perfect.

    > and [4] *hadn't realized it yet*?'

    That did use to happen in the old days, with the Casio watches we used to
    record split times, yes. :)

    ------------------------------

    Date: Mon, 9 Mar 2020 15:00:35 -0500
    From: Bob Wilson <wil...@math.wisc.edu>
    Subject: Re: Risks of Leap Years ...., and depending on WWVB

    Last Saturday night (for most practical purposes) I checked my digital watch
    (which listens to WWVB for accurate time/date information) at what was still
    eight minutes after midnight at my house. The watch had, at midnight,
    checked in and apparently got a good signal. But it had already "leaped"
    forward, so it said 1:08 and had the date (which was correct) as 8 Mar. But
    of course the time was not legally supposed to go forward until 2:00 AM by
    my local time (CST, becoming CDT).

    I am wondering if that is a defect in the watch's firmware, or did WWVB send
    out an incorrect time signal? I have trusted WWV, with or without the B, for
    almost seven decades now, and I think I would rather blame the watch
    manufacturer than NIST. (Which I will probably be still calling NBS for as
    long as I am listening!)

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.62
    ************************